Re: Compromised Win2000 machine.

From: ghb the irrepressible (ghbat_private)
Date: Tue May 28 2002 - 20:42:17 PDT

  • Next message: Mark Fagan: "RE: strange account in Win2k"

     ('binary' encoding is not supported, stored as-is)
    In-Reply-To: <3CF3E55D.8030702at_private>
    This post is a perfect example of current script kiddy 
    trends. If you join any of the larger channels on,, and so forth, you will 
    see that all of the 'leech fserves' in these channels are 
    compromised windows machines. (usually .edu's).
    I would wager that these groups are hacking win2k boxes on 
    fast networks en-masse.. using something lame and well 
    known like the Unicode or HTR exploit (for shame!) or 
    possibly the recent .ASP exploit.
    These groups are compiling their own rootkit/backdoors from 
    well-documented open source utilities such as DSNX 
    ( The main function of these backdoors, as 
    you have seen, is to provide remote FTP access to the 
    compromised host (for uploading more 0day warez and DIVX 
    movies), run an identd server if required, and connect to a 
    pre-configured IRC network and channel. The server then 
    acts as an irc Fserve, allowing anyone in the channel to 
    queue up files to download.
    I would also wager that port 99 is a copy of ncx99.exe - 
    this was used as the default bindport for a couple of win32 
    exploits (original iishack?) It is a modified version of 
    nc.exe configured to spawn a cmd.exe shell on port 99. This 
    simple backdoor is favored by script kiddies and the like 
    because it does not require any command line arguments.
    These groups often advertise their efforts in the channel 
    topics on - ">100 .edu 100mbit bots! Leech! 
    Latest releases!' They also advertise "we need couriers, 
    dumps, carders, rooters (?), coders and rippers - contact 
    Maybe someone should join these channels, #warez-excell 
    etc, and scan all the fserve hosts for ports 99 and 4160... 
    if port 99 is indeed a netcat/cmd.exe backdoor, a script 
    could be written to mass-patch or disable these IRC bots ;)
    They deserve it for being so damn open about their 
    activites. Warez kids used to have a clue !
    i remain
    >          Today i found a windows machine located in our 
    dorms that had 
    >been compromised, but unlike most of the compromised 
    machines i see come 
    >out of the dorms the Admin password was actually set and 
    it was set to 
    >something other than NULL or Administrator.  The attacker 
    set up 2 
    >Serv-U ftpd's on the host on high ports 23432 and 65531 to 
    be exact, 
    >they also installed a warez eggdrop bot that connects to 
    the newnet IRC 
    >Network and servs via the #warez-excell channel. 
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:47:13 PDT