nc.exe is really the win32 port of the infamous NetCat *nix program by Hobbit. This program can be used to get a remote command prompt. Most likely that is what cmd1.exe was used for. As for the third file, maybe an ftp server binary..? Have you shut down the server..? Do you log TCP/IP traffic..? If so then you could find out what is going on at the protocol level. Too bad it isn't a *nix system or you could use TCT to do some post mortem analysis..
Good Luck, ~John -----Original Message----- From: Bravo, Liliana [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 12:35 PM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
