Re: Compromised Win2000 machine. - Follow UP

From: Daniel Hay (dhayat_private)
Date: Thu May 30 2002 - 14:27:41 PDT

  • Next message: H C: "Re: Re[2]: Compromised Win2000 machine."

    OK I managed to sniff the password for the "login" program after 
    tcpkill'ing the irc connection of the bot several times, in the hope the 
    "owner" of the bot would login and try to figure out what was happening 
    and sure enough it only took about 10 minutes and i had the password. I 
    was able to use it to login the say way the warez pups did.  The program 
    that was listening on port 4160 was called wollf, the program is 
    available from
     From their website "Extended Telnet Services, support file transfers, 
    support reverse-connect through firewall, you can use a option to start 
    it as a serivce or a general process."
    It seems pretty powerful from what I seen dinking around with it this 
    afternoon, it allowed the remote user to "export" a cmd.exe shell on any 
    port you choose, it allowed you to get process listings and screen 
    listings, kill processes, ftp put and get files from other ftp sites, 
    telnet from the compromised host to other hosts, view files on the 
    system rename and delete files etc etc.
    After speaking with the user this afternoon I was informed that the 
    machine did infact have a NULL admin password but they dont use the 
    admin account so they never noticed the password had been reset. The 
    warez pups had their junk in 2 hidden directories in 
    c:\winnt\system32\sys32 and c:\winnt\system32\sysfiles
    I had the user zip these directories and send them to me,  if anyone 
    wants to check them out drop me a line, the zip files are the complete 
    directory and structure minus the 12 gig of movies, porn and games :). 
    After running ngrep and looking for the login banner "wollf" I managed 
    to find 3 other dorm machines on campus that had been hit by the same 
    person using the same password, directory structure and ports so if you 
    find something you think maybe the wollf program on port 4160 drop me a 
    line and i'll give you the password because chances are its the same kid.
    H C wrote:
    >Some additional thoughts on this particular issue...
    >>...but I thought the advice for a (possibly)
    >>compromised box was *not* 
    >>to run executable programs that resided on that
    >>host, as they can't be trusted?
    >While I definitely recommend burning your tools...even
    >the ones shipped w/ NT/2K, including a
    >CD, to be quite honest, has anyone ever actually seen
    >a system w/ a trojaned netstat?  Now, I know many
    >folks are going to pump their arms into the
    >let me clarify...this is a 2K box.  Has anyone ever
    >seen a trojaned cmd.exe or netstat.exe?  Has anyone
    >seen netstat.exe on an NT or 2K system "trojaned" so
    >as to NOT show certain connects...but otherwise, it
    >works fine?
    >Remember...the Linux/*nix architectures are different
    >from that of NT/2K...and XP.  I'm not saying that this
    >can't be done...I'm simply asking if anyone can show,
    >with proof, that this *has* been done?  And it doesn't
    >have to be just can be any other
    >native tool.  And binding the .exe file using
    >SaranWrap or EliteWrap doesn't count, as the basic
    >functionality still exists and all network connects
    >(netstat) will still be shown...
    >Do You Yahoo!?
    >Yahoo! - Official partner of 2002 FIFA World Cup
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management 
    >and tracking system please see:
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 30 2002 - 15:55:57 PDT