RE: Compromised Win2000 machine.

From: Don Weber (Donat_private)
Date: Tue May 28 2002 - 15:56:46 PDT

  • Next message: H C: "parsing output from tools"

    look under services, find all remote procedure calls, look at the properties
    of each one, specifically notating the actual path to the called program,
    liekly you'll find one of those do not go to the winnt directory, stop that
    service. You may want to go thru all of your services that are active, and
    look at the program name and location of the program to make sure you
    recognize all of them, the ones you dont, take a little further look into.
    
    Don
    
    
    -----Original Message-----
    From: Kit [mailto:kitat_private]
    Sent: Tuesday, May 28, 2002 2:48 PM
    To: Daniel Hay; incidentsat_private
    Subject: RE: Compromised Win2000 machine.
    
    
    If I remember correctly, Jini uses 4160.  From what I remember, Jini is
    basically distributed computing using Java.  Don't know why exactly it would
    be prompting for a login, but I guess it could be an app of somesort.  They
    could be using this as a DDoS type of system I guess.
    
    Also, why is it using port 99 and 113?  Those seem like odd ports for a
    Windows machine to have.
    
    Now, if you're having problems getting in because you don't know the admin
    password, with physical access to the box that could obviously be worked
    around, but remotely would be a little less easy.
    
    As for what root-kit its a part of, sorry, I'm not that familiar with it.
    
    HTH,
    -K
    
    -----Original Message-----
    From: Daniel Hay [mailto:dhayat_private]
    Sent: Tuesday, May 28, 2002 3:15 PM
    To: incidentsat_private
    Subject: Compromised Win2000 machine.
    
    
    Hey,
              Today i found a windows machine located in our dorms that had
    been compromised, but unlike most of the compromised machines i see come
    out of the dorms the Admin password was actually set and it was set to
    something other than NULL or Administrator.  The attacker set up 2
    Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact,
    they also installed a warez eggdrop bot that connects to the newnet IRC
    Network and servs via the #warez-excell channel. The thing that puzzles
    me and i've not been able to get any information on it through web
    searches and mailing lists so far, on port 4160 there seems to be a
    login prompt. When you nc to the port you are presented with the following
    
    [dhay@ob-1 dhay]$ nc compromise.host.edu 4160
    Login: administrator
    
    Invalid password!!!
    login:
    
    
    An nc to the auth port (113) yields
    
    
     [dhay@ob-1 dhay]$ nc 144.118.217.84 113
    
    934 , 6667 : USERID : UNIX : bitch
    
    
    
    I'm hoping someone notices the shift from Uppercase "L" in login to
    lower case after you fail to login and recognizes it as a known
    backdoor? or  something similar... does anyone know of any canned
    rootkits ( for want of a better term ) that acts in the way i've
    described above? I'll paste the output of nmap -sS -sU -p 1-65535 below
    
    
    Port       State       Service
    99/tcp     open        metagram
    113/tcp    open        auth
    135/tcp    open        loc-srv
    135/udp    open        loc-srv
    137/udp    open        netbios-ns
    138/udp    open        netbios-dgm
    139/tcp    open        netbios-ssn
    445/tcp    open        microsoft-ds
    445/udp    open        microsoft-ds
    500/udp    open        isakmp
    1025/tcp   open        listen
    1026/udp   open        unknown
    4160/tcp   open        unknown
    23432/tcp  open        unknown
    65531/tcp  open        unknown
    
    
    
    Cheers
    Danny
    Drexel University
    Network Security Engineer
    
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:34:18 PDT