Re: Compromised Win2000 machine.

From: H C (keydet89at_private)
Date: Tue May 28 2002 - 14:35:00 PDT

Next message: McCammon, Keith: "RE: Security contacts for cnn,time.com,usatoday,and boston globe needed"

Previous message: Kevin: "Re: strange account in Win2k"
In reply to: Daniel Hay: "Compromised Win2000 machine."
Next in thread: Kit: "RE: Compromised Win2000 machine."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Daniel,

I'm curious as to why you haven't run fport on the
system?  This would tell you which process is using
that port.  You could then shut the process down, and
take a closer look at the executable.


--- Daniel Hay <dhayat_private> wrote:
> Hey,
>           Today i found a windows machine located in
> our dorms that had 
> been compromised, but unlike most of the compromised
> machines i see come 
> out of the dorms the Admin password was actually set
> and it was set to 
> something other than NULL or Administrator.  The
> attacker set up 2 
> Serv-U ftpd's on the host on high ports 23432 and
> 65531 to be exact, 
> they also installed a warez eggdrop bot that
> connects to the newnet IRC 
> Network and servs via the #warez-excell channel. The
> thing that puzzles 
> me and i've not been able to get any information on
> it through web 
> searches and mailing lists so far, on port 4160
> there seems to be a 
> login prompt. When you nc to the port you are
> presented with the following
> 
> [dhay@ob-1 dhay]$ nc compromise.host.edu 4160
> Login: administrator
> 
> Invalid password!!!
> login:
> 
> 
> An nc to the auth port (113) yields
> 
> 
>  [dhay@ob-1 dhay]$ nc 144.118.217.84 113
> 
> 934 , 6667 : USERID : UNIX : bitch
> 
> 
> 
> I'm hoping someone notices the shift from Uppercase
> "L" in login to 
> lower case after you fail to login and recognizes it
> as a known 
> backdoor? or  something similar... does anyone know
> of any canned 
> rootkits ( for want of a better term ) that acts in
> the way i've 
> described above? I'll paste the output of nmap -sS
> -sU -p 1-65535 below
> 
> 
> Port       State       Service
> 99/tcp     open        metagram               
> 113/tcp    open        auth                   
> 135/tcp    open        loc-srv                
> 135/udp    open        loc-srv                
> 137/udp    open        netbios-ns             
> 138/udp    open        netbios-dgm            
> 139/tcp    open        netbios-ssn            
> 445/tcp    open        microsoft-ds           
> 445/udp    open        microsoft-ds           
> 500/udp    open        isakmp                 
> 1025/tcp   open        listen                 
> 1026/udp   open        unknown                
> 4160/tcp   open        unknown                
> 23432/tcp  open        unknown                
> 65531/tcp  open        unknown                
> 
> 
> 
> Cheers
> Danny 
> Drexel University
> Network Security Engineer
> 
> 
> 
> 
> 
> 
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: McCammon, Keith: "RE: Security contacts for cnn,time.com,usatoday,and boston globe needed"
Previous message: Kevin: "Re: strange account in Win2k"
In reply to: Daniel Hay: "Compromised Win2000 machine."
Next in thread: Kit: "RE: Compromised Win2000 machine."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 28 2002 - 15:08:51 PDT