Hey,
Today i found a windows machine located in our dorms that had
been compromised, but unlike most of the compromised machines i see come
out of the dorms the Admin password was actually set and it was set to
something other than NULL or Administrator. The attacker set up 2
Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact,
they also installed a warez eggdrop bot that connects to the newnet IRC
Network and servs via the #warez-excell channel. The thing that puzzles
me and i've not been able to get any information on it through web
searches and mailing lists so far, on port 4160 there seems to be a
login prompt. When you nc to the port you are presented with the following
[dhay@ob-1 dhay]$ nc compromise.host.edu 4160
Login: administrator
Invalid password!!!
login:
An nc to the auth port (113) yields
[dhay@ob-1 dhay]$ nc 144.118.217.84 113
934 , 6667 : USERID : UNIX : bitch
I'm hoping someone notices the shift from Uppercase "L" in login to
lower case after you fail to login and recognizes it as a known
backdoor? or something similar... does anyone know of any canned
rootkits ( for want of a better term ) that acts in the way i've
described above? I'll paste the output of nmap -sS -sU -p 1-65535 below
Port State Service
99/tcp open metagram
113/tcp open auth
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
445/tcp open microsoft-ds
445/udp open microsoft-ds
500/udp open isakmp
1025/tcp open listen
1026/udp open unknown
4160/tcp open unknown
23432/tcp open unknown
65531/tcp open unknown
Cheers
Danny
Drexel University
Network Security Engineer
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 14:14:32 PDT