-
January 18th, 2005, 07:10 PM
#1
Systemspool.dll Backdoor
I did a Google search but found next to nothing. Anyone know anything about a Windows backdoor service with the following files:
systemcheck/systemspool.dll
systemcheck/SystemSpool_dll.ocx
systemcheck/SystemSpool_dll.ocx
Thanks
-
January 18th, 2005, 07:28 PM
#2
Iron:
I'd suggest there is something odd where two files called "systemcheck/SystemSpool_dll.ocx" seem to be able to occupy the same location. Or am I missing something?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 18th, 2005, 07:50 PM
#3
Oops, I ment to copy and paste "systemspool.ocx"
-
January 18th, 2005, 07:53 PM
#4
would that also be why your Google Search failed.....
Try this
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 18th, 2005, 07:57 PM
#5
That looks like it may be it. Here are some other files in the same directory, many of which I already know the function of.
C:\winnt\system32\systemcheck>dir /b /p
files
galaxy
pskill.exe
pslist.exe
speedsuite
systemspool.dll
systemspool.ocx
SystemSpool_dll.ocx
C:\winnt\system32\systemcheck>dir /p
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:\winnt\system32\systemcheck
01/18/2005 11:13 AM <DIR> .
01/18/2005 11:13 AM <DIR> ..
01/18/2005 11:13 AM <DIR> files
01/18/2005 11:12 AM <DIR> galaxy
01/12/2005 10:13 AM 90,112 pskill.exe
01/12/2005 10:13 AM 86,016 pslist.exe
01/18/2005 11:12 AM <DIR> speedsuite
01/12/2005 10:13 AM 603,136 systemspool.dll
01/16/2005 05:14 PM 2,387 systemspool.ocx
01/12/2005 10:13 AM 745 SystemSpool_dll.ocx
5 File(s) 782,396 bytes
5 Dir(s) 13,389,078,528 bytes free
C:\winnt\system32\systemcheck>dir /s
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:\winnt\system32\systemcheck
01/18/2005 11:13 AM <DIR> .
01/18/2005 11:13 AM <DIR> ..
01/18/2005 11:13 AM <DIR> files
01/18/2005 11:12 AM <DIR> galaxy
01/12/2005 10:13 AM 90,112 pskill.exe
01/12/2005 10:13 AM 86,016 pslist.exe
01/18/2005 11:12 AM <DIR> speedsuite
01/12/2005 10:13 AM 603,136 systemspool.dll
01/16/2005 05:14 PM 2,387 systemspool.ocx
01/12/2005 10:13 AM 745 SystemSpool_dll.ocx
5 File(s) 782,396 bytes
Directory of C:\winnt\system32\systemcheck\files
01/18/2005 11:13 AM <DIR> .
01/18/2005 11:13 AM <DIR> ..
0 File(s) 0 bytes
Directory of C:\winnt\system32\systemcheck\galaxy
01/18/2005 11:12 AM <DIR> .
01/18/2005 11:12 AM <DIR> ..
01/12/2005 02:14 PM 114,688 Fport.exe
01/12/2005 02:08 PM 29,696 hidden32.exe
01/12/2005 02:19 PM 604 pass.txt
01/12/2005 02:15 PM 20 pid.bat
01/12/2005 02:15 PM 17,089 pid.txt
01/12/2005 02:19 PM 25 pwdump.bat
01/12/2005 02:07 PM 19,456 pwdump2.exe
01/12/2005 02:08 PM 19,968 samdump.dll
01/12/2005 02:08 PM 17,920 TLIST.EXE
9 File(s) 219,466 bytes
Directory of C:\winnt\system32\systemcheck\speedsuite
01/18/2005 11:12 AM <DIR> .
01/18/2005 11:12 AM <DIR> ..
01/12/2005 02:07 PM 66 ftpam.cmds
01/12/2005 02:07 PM 61 ftpar.cmds
01/12/2005 02:07 PM 39,184 ftpc.exe
01/12/2005 02:07 PM 73 ftpch.cmds
01/12/2005 02:07 PM 85 ftpdd.cmds
01/12/2005 02:07 PM 47 ftper.cmds
01/12/2005 02:07 PM 82 ftpnl.cmds
01/12/2005 02:07 PM 48 ftpob.cmds
01/12/2005 02:07 PM 92 ftpsg.cmds
01/12/2005 02:38 PM 10,148 info.txt
01/12/2005 02:07 PM 131,072 psinfo.exe
01/12/2005 02:07 PM 86,016 pslist.exe
01/12/2005 02:07 PM 51 speed.bat
01/12/2005 02:08 PM 54,453 speed.eu.exe
01/12/2005 02:08 PM 75,341 speed.exe
01/12/2005 02:08 PM 55,008 speed.us.exe
01/12/2005 02:08 PM 13,230 speedsuite.bat
01/12/2005 02:08 PM 498 speedtest.log
01/12/2005 02:31 PM 1,506 Status-32of45
01/12/2005 02:38 PM 430 Status-44of45
01/12/2005 02:38 PM 2,428 Status-45of45
21 File(s) 469,919 bytes
Total Files Listed:
35 File(s) 1,471,781 bytes
11 Dir(s) 13,389,078,528 bytes free
C:\winnt\system32\systemcheck>
-
January 18th, 2005, 08:14 PM
#6
This looks a lot like an owned box that may still be being "worked on"
I'd love to see some of those bat and txt file... any chance of zipping them up and eithe rpostin gthem or PMing them?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 18th, 2005, 08:18 PM
#7
Irongeek, doing a quick search of one of the files (ftpch.cmds) produced this:
http://lists.freebsd.org/pipermail/f...il/044143.html
I think my last PM to you would support this. I think it's one of those FXP (??) servers (server-to-server transfer of info/files)
-
January 18th, 2005, 11:33 PM
#8
I posted all the files in Addicts for those that want to see them:
http://www.antionline.com/showthread...hreadid=265388
-
January 19th, 2005, 12:05 AM
#9
I replied there... Probably should have done the reply here. Oh well....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 19th, 2005, 12:28 PM
#10
Member
why don't you search security focus ?
www.securityfocus.com
they hold the latest security topics regarding windows and linux if thats what you want .
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|