guys,
hey,
this is taken from a windows2k box that was comprimised via webdav exploit, the files i have uploaded where in c:\program files\common\{63726245964blah]\com1\inhere\
i wanted to post this becuase i havnt seen this type of rootkit before and wouldnt mind a second opinion,
it installed 2 services "ntservice" and "nt-service" calling the file srunner.exe
yes it a bot proggy but it goes in more depth than that, notice the text directory has a html page
any thoughts greatly appcreated!!!!!!
shouts out to coder,wicked and gsec (oh and how can i 4got dissolutions) in advance who always great help!
***Be aware Antivirus scanners may pick files up in this rar as virii: its for adavanced users and research purpose only!, i recoomend disabled on access scanner.
and no im not tyrying to infect you with anything
Full Version: Analyse This!
pretty interesting.... Pretty big too :/ somebody had a bit of time 
hmm... let's take a look 
NOthing special here...
Looks like another IOFTPD server tryin' to be installed as NTSERVICE etc....
Nothing special or unusual...lol
L8tr
Looks like another IOFTPD server tryin' to be installed as NTSERVICE etc....
Nothing special or unusual...lol
L8tr
Hehe..webdav was released last may I think and u still haven't bothered to patch it or apply a service pack...Kinda stupid and self-destructing if u ask me. Would u leave u're car open, with the keys in the ignition, in a bad neighborhood?
Cheers go out to whoever rooted u for taking advantage of someone who hasn't learned about the benefits of actually "locking" u're backdoors.
Cheers go out to whoever rooted u for taking advantage of someone who hasn't learned about the benefits of actually "locking" u're backdoors.
vnet576>
never heard of a honeypot?
never heard of a honeypot?
| QUOTE (andydis @ Dec 4 2003, 05:14 PM) |
| vnet576> never heard of a honeypot? |
Hehe..doesn't sound like it was a honeypot by your post. I'm thinking that u're trying to excuse u're security negligance by claiming it was a honeypot and u knew what u were doing all along.
ok so maybe it wasnt a honeypot lol, but it wasnt my server :-)
anyway just never heard of IOFTPD before, gonna check it out,,
just trying to gain knowledge,,
geez why is this board becomming so aggressive all of a sudden?
anyway just never heard of IOFTPD before, gonna check it out,,
just trying to gain knowledge,,
geez why is this board becomming so aggressive all of a sudden?
| QUOTE (andydis @ Dec 4 2003, 05:21 PM) |
| ok so maybe it wasnt a honeypot lol, but it wasnt my server :-) anyway just never heard of IOFTPD before, gonna check it out,, just trying to gain knowledge,, geez why is this board becomming so aggressive all of a sudden? |
I knew it wasn't a honeypot...don't try to lie to me again...lol
The members of this board have developed an ability to detect bullshit from a mile a way, so don't get defensive if people here pick up bullshit and lies, we're not being agressive. I was just wondering why you...err the "other owner" of the server didn't bother to secure an exploit that was really old and had caused alot of damage. I think there was even a worm using webdav.
wasnt patched due to admin laziness i guess, i was asked to have a look at it and thats wat i found......
cheers anyway.
cheers anyway.
| QUOTE (andydis @ Dec 4 2003, 10:14 PM) |
| vnet576> never heard of a honeypot? |
So your saying either you work for a federal law enforcement agency or your going to grass on whoever's hacked your computer?
If not then I certainly dont see the logic in leaving your own system open to compromisation. I have a box with no firewall that's left on 24/7...but the difference between mine and yours is that mine is patched. That way...anyone wants to hack my system by means of exploiting an unadvised vulnerability (unreleased exploit), then I'll check the logs in the morning and find a way of securing it. Also a good way to get 0day exploits
missed the previous two posts 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
