Compromised Win2000 machine.

From: Daniel Hay (dhayat_private)
Date: Tue May 28 2002 - 13:15:25 PDT

  • Next message: Kevin: "Re: strange account in Win2k"

    Hey,
              Today i found a windows machine located in our dorms that had 
    been compromised, but unlike most of the compromised machines i see come 
    out of the dorms the Admin password was actually set and it was set to 
    something other than NULL or Administrator.  The attacker set up 2 
    Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact, 
    they also installed a warez eggdrop bot that connects to the newnet IRC 
    Network and servs via the #warez-excell channel. The thing that puzzles 
    me and i've not been able to get any information on it through web 
    searches and mailing lists so far, on port 4160 there seems to be a 
    login prompt. When you nc to the port you are presented with the following
    
    [dhay@ob-1 dhay]$ nc compromise.host.edu 4160
    Login: administrator
    
    Invalid password!!!
    login:
    
    
    An nc to the auth port (113) yields
    
    
     [dhay@ob-1 dhay]$ nc 144.118.217.84 113
    
    934 , 6667 : USERID : UNIX : bitch
    
    
    
    I'm hoping someone notices the shift from Uppercase "L" in login to 
    lower case after you fail to login and recognizes it as a known 
    backdoor? or  something similar... does anyone know of any canned 
    rootkits ( for want of a better term ) that acts in the way i've 
    described above? I'll paste the output of nmap -sS -sU -p 1-65535 below
    
    
    Port       State       Service
    99/tcp     open        metagram               
    113/tcp    open        auth                   
    135/tcp    open        loc-srv                
    135/udp    open        loc-srv                
    137/udp    open        netbios-ns             
    138/udp    open        netbios-dgm            
    139/tcp    open        netbios-ssn            
    445/tcp    open        microsoft-ds           
    445/udp    open        microsoft-ds           
    500/udp    open        isakmp                 
    1025/tcp   open        listen                 
    1026/udp   open        unknown                
    4160/tcp   open        unknown                
    23432/tcp  open        unknown                
    65531/tcp  open        unknown                
    
    
    
    Cheers
    Danny 
    Drexel University
    Network Security Engineer
    
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 14:14:32 PDT