Hey, Today i found a windows machine located in our dorms that had been compromised, but unlike most of the compromised machines i see come out of the dorms the Admin password was actually set and it was set to something other than NULL or Administrator. The attacker set up 2 Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact, they also installed a warez eggdrop bot that connects to the newnet IRC Network and servs via the #warez-excell channel. The thing that puzzles me and i've not been able to get any information on it through web searches and mailing lists so far, on port 4160 there seems to be a login prompt. When you nc to the port you are presented with the following [dhay@ob-1 dhay]$ nc compromise.host.edu 4160 Login: administrator Invalid password!!! login: An nc to the auth port (113) yields [dhay@ob-1 dhay]$ nc 144.118.217.84 113 934 , 6667 : USERID : UNIX : bitch I'm hoping someone notices the shift from Uppercase "L" in login to lower case after you fail to login and recognizes it as a known backdoor? or something similar... does anyone know of any canned rootkits ( for want of a better term ) that acts in the way i've described above? I'll paste the output of nmap -sS -sU -p 1-65535 below Port State Service 99/tcp open metagram 113/tcp open auth 135/tcp open loc-srv 135/udp open loc-srv 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 445/tcp open microsoft-ds 445/udp open microsoft-ds 500/udp open isakmp 1025/tcp open listen 1026/udp open unknown 4160/tcp open unknown 23432/tcp open unknown 65531/tcp open unknown Cheers Danny Drexel University Network Security Engineer ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 14:14:32 PDT