We investigated an incident today of a compromised fully patched W2K server running a DDoS attack sucking up their entire t1. Entry was gained through a user account with blank password given "temporary" adminstrative rights for installation of a program. They installed a kit with Servu FTP server and FireDaemon service installer along with smt, netcat, kill, psservices, info, cygwin1.dll and various other tools in C:\winnt\system32\spool\w42x86 as their initial location. Also find start32.bat that deletes C$, IPC$, and Admin$ shares. Find they installed two illicit services, "Server Adminstrator" and mr2kserv. Find a scheduled task called AT2 that runs ServUDaemon.ini one time. Their intentions obviously included providing a warez server. Find that they had not yet uploaded any files and were using it strictly for DDoS. Luckily we caught it within 24 hours of compromise, tipped off by our remote network monitoring showing unusual outbound traffic at the client. Curt Purdy MCSE+I, CNE, CCNA, CCDA Information Security Engineer DP Solutions cpurdyat_private ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 12:23:53 PDT