Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ABoxInstall

from [Carlos Kramer] Network Security [Permanent Link]
Subject: ABoxInstall
Date: Wed, 10 Nov 2004 09:03:12 +0000 
Hi,

Don't know if this is the correct forum for this. One of my
users got some malicious code which downloaded an FTP
server and trojan and registered itself with a Phillippines site
this code wasn't detected by Nortons.

The exploit site is here:-

http://207.234.185.217/send_car_int.asp

it downloads this:-

http://207.234.185.217/ABoxInst_int2.exe

which then uses ftp to connect to 209.58.80.244 with the
username/password anonymous/qnelpdc to download these
files:- Abox.exe, ABox.bup and logon.exe.

These files are executed and the machine registers itself at:-

http://209.58.80.244/new_install.asp?...

The executable also has a Thawte certificate which seems
to be signed for www.voicekampala.com (uganda?).

I thought this might be of interest to someone as the only
reference I could find to it was a "Hijack This" log posted to
a German site.

It seems to be some sort of porn dialler which hides itself in
a trojaned logon.exe.

Cheers.

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Maintaining a "watch list", adriano.carvalho
Next by Date:  Re: Malformed DNS or something odd (or just me), Paul Daniel
Previous by Thread:  Maintaining a "watch list", Kirby Angell
Next by Thread:  Re: ABoxInstall, Matthew Cerha
Indexes:  [Date] [Thread] [Top] [All Lists]