I would venture to say that the file 'dropnc.exe' is NetCat. I would definitely want to see what's in the 'Drop.ini' file as it should give you a little more info. You can do a 'netstat' or 'fport' from DOS on that machine to see which ports are listening, then try connect to each port with NetCat running on another machine. Once you identify the port, you will know how the attacker is getting in. Have you unplugged the machine yet? If not, use Ethereal to monitor that IP for a while and you can look for traffic across the previously identified port. This should help you identify an IP on the other side (where the intruder is coming from). Although, if the intruder is smart, they are using automated scheduling to push traffic through at late hours when it is unlikely that no one will be watching. If you do not see 'dropnc.exe' as a running process, then you want to focus on the process ID's (PID's) with higher process ID's and look at generic PID's such as 'svchost.exe' (generic host process) or a duplicate of 'inetinfo.exe' or 'dllhost.exe' These are the favorite PID names of choice for most intruders. Hope this helps. KMS Kevin Shannon, Sr. Network Administrator-US DOT/FAA/AVN/ avn.faa.gov Sr. ADP Specialist-Lockheed Martin InformationTechnology www.it.lockheedmartin.com Office - 405.954.7134 Email - Kevin.M-CTR.Shannonat_private The contents of this email reflect neither the views of the FAA nor those of Lockheed Martin. |---------+----------------------------> | | <shrink-wrap@hush| | | mail.com> | | | | | | 05/05/2003 09:52 | | | PM | | | | |---------+----------------------------> >--------------------------------------------------------------------------------------------------------------| | | | To: forensicsat_private | | cc: | | Subject: Finding root-kits on Windows | >--------------------------------------------------------------------------------------------------------------| If someone could help me I would appreciate it- my current situation is: On a compromised Windows 2k Pro box I have a directory with suspect binaries (which I discovered from a disk image via autopsy/sleuthkit- awesome stuff) but on the compromised machine it is impossible* to view these files or the directory. A listing of the files and the directory is attached at the end of the e-mail. After reading more and more on windows rootkits- one of the common ways to use them is to pick a common string to hide and in my case all the files and the directory have the string "drop" as part of their name. As a test I created a directory in the root of the drive named "dropper" and it also "disappeared". So my question is, how can I find this root-kit that is hooked into my kernel? I am looking at my sysinfo for the box but while there are a number of drivers running- how would I further investigate what they are doing? BTW, it hasn't matched up with a well-known root-kit yet (like slanret). Thanks S-W *=except 'cd'ing, via command prompt only, into the suspect (drop) directory and 'dir' listing all files *without* the "drop" name--possibly an error with the root-kit? File and directory listing: (md5 hash / file name / size) MD5 Values for files in /mnt/evidence/WINNT/system32/ (images/win2kpart1.img) 39a9e5c05ffbda925da0d2ec9b4f512a drop.exe 50688 c647b4225e022096fb125f6bc49c5c91 drop.ini 383 da0bae77d169430f23134c1bea850c10 droper.exe 1364009 d66183219dcc4df876b94507c517decd dropz.dat 244 623dfe4b51bc457a93b6cbbdeb62f3aa dropz.exe 196922 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/ (images/win2kpart1.img) f52d332ff50cb543c6d47d9aa4a0f608 dropclient.exe 30208 084badcff1da96797dddfd29b5038273 dropcmdsrv.exe 32768 a109f9c51681ec708342db2af6c4bebb dropFar.exe 416800 26c1a98812d114c7ad2bc8e8d7119315 dropisql.exe 98304 e0fb946c00b140693e3cf5de258c22a1 dropnc.exe 59392 b5f519b3844c4d3c5451d90f70c59737 dropNTUSER.EXE 114176 998c2626a275c4ee1d59c2b3d0ede028 droppkzip.exe 339456 7eec3f77f9cb19fda1d06403ec1472f1 droppm.exe 5632 9c77ed16bcba7c61d620ec040788e7e8 dropport.exe 48640 ca0447d2feccc4a5ac3c9128d61debe7 droppwdump2.exe 32768 b7989bcb72225521c79163517cabe69a FarEng.hlf 72121 f7dddbdbbc5879bf16ac00cedcd20745 FarEng.lng 16618 ab1f54a5fa3e653b6784c44407f113ac samdump.dll 36864 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/FTP/ (images/win2kpart1.img) 8e15302b6d6e34f97d1a9729a8982f2e farftp.dll 115232 c9c65b08d29378823d4f41bc7f96787f FtpEng.hlf 6514 5473c2f0e88c2a6732bbbcf72e895523 FtpEng.lng 2307 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/Network/ (images/win2kpart1.img) 899618cc2b78249ae846aea0ae7a8e55 NetEng.hlf 1033 e094baf947eddf5c5d744247ec75859e NetEng.lng 625 701c98c6799d450f458335b498806fa2 NETWORK.dll 45600 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/ProcList/ (images/win2kpart1.img) 43ca7be3f1bb03d47b77ea836f996fba ProcEng.hlf 444 77fc621c42ea93a8a0ff9bd32331c350 ProcEng.lng 442 9691161c57d0cb6500af09df919b852f PROCLIST.dll 51232 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 07:24:25 PDT