FireDeamon exploit

From: Curt Purdy (Purdyat_private)
Date: Fri Jul 19 2002 - 11:21:47 PDT

  • Next message: Bob DeRosier: "China Experience ?"

    We investigated an incident today of a compromised fully patched W2K server
    running a DDoS attack sucking up their entire t1.  Entry was gained through
    a user account with blank password given "temporary" adminstrative rights
    for installation of a program.
    They installed a kit with Servu FTP server and FireDaemon service installer
    along with smt, netcat, kill, psservices, info, cygwin1.dll and various
    other tools in C:\winnt\system32\spool\w42x86 as their initial location.
    Also find start32.bat that deletes C$, IPC$, and Admin$ shares. Find they
    installed two illicit services, "Server Adminstrator" and mr2kserv. Find a
    scheduled task called AT2 that runs ServUDaemon.ini one time.
    Their intentions obviously included providing a warez server. Find that they
    had not yet uploaded any files and were using it strictly for DDoS.  Luckily
    we caught it within 24 hours of compromise, tipped off by our remote network
    monitoring showing unusual outbound traffic at the client.
    
    Curt Purdy MCSE+I, CNE, CCNA, CCDA
    Information Security Engineer
    DP Solutions
    cpurdyat_private
    
    ----------------------------------------
    If you spend more on coffee than on IT security, you will be hacked.
    What's more, you deserve to be hacked.
    -- White House cybersecurity adviser Richard Clarke
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 12:23:53 PDT