OK I managed to sniff the password for the "login" program after tcpkill'ing the irc connection of the bot several times, in the hope the "owner" of the bot would login and try to figure out what was happening and sure enough it only took about 10 minutes and i had the password. I was able to use it to login the say way the warez pups did. The program that was listening on port 4160 was called wollf, the program is available from www.xfocus.org. From their website "Extended Telnet Services, support file transfers, support reverse-connect through firewall, you can use a option to start it as a serivce or a general process." It seems pretty powerful from what I seen dinking around with it this afternoon, it allowed the remote user to "export" a cmd.exe shell on any port you choose, it allowed you to get process listings and screen listings, kill processes, ftp put and get files from other ftp sites, telnet from the compromised host to other hosts, view files on the system rename and delete files etc etc. After speaking with the user this afternoon I was informed that the machine did infact have a NULL admin password but they dont use the admin account so they never noticed the password had been reset. The warez pups had their junk in 2 hidden directories in c:\winnt\system32\sys32 and c:\winnt\system32\sysfiles I had the user zip these directories and send them to me, if anyone wants to check them out drop me a line, the zip files are the complete directory and structure minus the 12 gig of movies, porn and games :). After running ngrep and looking for the login banner "wollf" I managed to find 3 other dorm machines on campus that had been hit by the same person using the same password, directory structure and ports so if you find something you think maybe the wollf program on port 4160 drop me a line and i'll give you the password because chances are its the same kid. Cheers Danny H C wrote: >Some additional thoughts on this particular issue... > >>...but I thought the advice for a (possibly) >>compromised box was *not* >>to run executable programs that resided on that >>host, as they can't be trusted? >> > >While I definitely recommend burning your tools...even >the ones shipped w/ NT/2K, including cmd.exe...to a >CD, to be quite honest, has anyone ever actually seen >a system w/ a trojaned netstat? Now, I know many >folks are going to pump their arms into the air...so >let me clarify...this is a 2K box. Has anyone ever >seen a trojaned cmd.exe or netstat.exe? Has anyone >seen netstat.exe on an NT or 2K system "trojaned" so >as to NOT show certain connects...but otherwise, it >works fine? > >Remember...the Linux/*nix architectures are different >from that of NT/2K...and XP. I'm not saying that this >can't be done...I'm simply asking if anyone can show, >with proof, that this *has* been done? And it doesn't >have to be just netstat.exe...it can be any other >native tool. And binding the .exe file using >SaranWrap or EliteWrap doesn't count, as the basic >functionality still exists and all network connects >(netstat) will still be shown... > > > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 15:55:57 PDT