look under services, find all remote procedure calls, look at the properties of each one, specifically notating the actual path to the called program, liekly you'll find one of those do not go to the winnt directory, stop that service. You may want to go thru all of your services that are active, and look at the program name and location of the program to make sure you recognize all of them, the ones you dont, take a little further look into. Don -----Original Message----- From: Kit [mailto:kitat_private] Sent: Tuesday, May 28, 2002 2:48 PM To: Daniel Hay; incidentsat_private Subject: RE: Compromised Win2000 machine. If I remember correctly, Jini uses 4160. From what I remember, Jini is basically distributed computing using Java. Don't know why exactly it would be prompting for a login, but I guess it could be an app of somesort. They could be using this as a DDoS type of system I guess. Also, why is it using port 99 and 113? Those seem like odd ports for a Windows machine to have. Now, if you're having problems getting in because you don't know the admin password, with physical access to the box that could obviously be worked around, but remotely would be a little less easy. As for what root-kit its a part of, sorry, I'm not that familiar with it. HTH, -K -----Original Message----- From: Daniel Hay [mailto:dhayat_private] Sent: Tuesday, May 28, 2002 3:15 PM To: incidentsat_private Subject: Compromised Win2000 machine. Hey, Today i found a windows machine located in our dorms that had been compromised, but unlike most of the compromised machines i see come out of the dorms the Admin password was actually set and it was set to something other than NULL or Administrator. The attacker set up 2 Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact, they also installed a warez eggdrop bot that connects to the newnet IRC Network and servs via the #warez-excell channel. The thing that puzzles me and i've not been able to get any information on it through web searches and mailing lists so far, on port 4160 there seems to be a login prompt. When you nc to the port you are presented with the following [dhay@ob-1 dhay]$ nc compromise.host.edu 4160 Login: administrator Invalid password!!! login: An nc to the auth port (113) yields [dhay@ob-1 dhay]$ nc 144.118.217.84 113 934 , 6667 : USERID : UNIX : bitch I'm hoping someone notices the shift from Uppercase "L" in login to lower case after you fail to login and recognizes it as a known backdoor? or something similar... does anyone know of any canned rootkits ( for want of a better term ) that acts in the way i've described above? I'll paste the output of nmap -sS -sU -p 1-65535 below Port State Service 99/tcp open metagram 113/tcp open auth 135/tcp open loc-srv 135/udp open loc-srv 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 445/tcp open microsoft-ds 445/udp open microsoft-ds 500/udp open isakmp 1025/tcp open listen 1026/udp open unknown 4160/tcp open unknown 23432/tcp open unknown 65531/tcp open unknown Cheers Danny Drexel University Network Security Engineer ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:34:18 PDT