Re: Rcon trojan

From: H C (keydet89at_private)
Date: Mon Mar 04 2002 - 17:53:32 PST

Next message: adminat_private: "Re: increase in ftp scanning"

Previous message: Erik Fichtner: "Re: FYI - slow scans for https..."
In reply to: Owen Creger: "Rcon trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Owen,

> It appears one of our NT boxes has been compromised,
> and is running the rcon
> trojan, port 8989
> Does anyone know how to clean up the mess, or do I
> need to rebuild the box?

I'm sure you're going to get responses stating that
the box should be rebuilt from clean media.  In some
cases, this may be sound advice.  In incident
response, it's not always the best advice.

I understand you can't be specific about the nature of
the box (server/workstation, it's function, etc). 
However, here are some things to consider:

1.  How did you become aware of the trojan?
2.  Are you sure that this is Rcon and not some other
program configured to use the port?
3.  Do you know how the 'compromise' occurred?

I ask, b/c I teach an incident response course
(http://patriot.net/~carvdawg/ir.html) and the thing I
find is that even the most competent MS admin doesn't
understand the necessary steps of incident response. 
Sure, reloading the software from clean media is all
well and fine...but if you don't know *how* the
compromise occurred, how do you protect against it in
the future?

Just as food for thought, let's say you just came upon
this box.  Rcon is a telnet server of sorts, so you
might want to get some info about the 'compromise'. 
Say, a search of recently created files on the system?
 Or the LastWrite time of the pertinent Registry key
(to tie down when the compromise occurred)?  Would you
be interested in finding out who's connecting to it,
if anyone is?  I doubt that will work at this point,
if the 'bad guy' is monitoring the Incidents list,
though.

Anyway, rebuilding the system after a compromise *may*
be a good idea, particularly if it's a root or Admin
or SYSTEM level compromise.  However, you may not have
to rebuild.  Or, if you do, how do you know you're not
rebuilding the same holes that allowed the bad guy in
in the first place?

Finally, cleaning the thing off the system is pretty
simple.  There are traces of the trojan in the
Registry, as well as tools that will do
process-to-port mappings for you to show you the .exe
files in question.

HTH,

Carv



__________________________________________________
Do You Yahoo!?
Yahoo! Sports - sign up for Fantasy Baseball
http://sports.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: adminat_private: "Re: increase in ftp scanning"
Previous message: Erik Fichtner: "Re: FYI - slow scans for https..."
In reply to: Owen Creger: "Rcon trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 08:30:53 PST