Greetings. This is a basic analysis and a few questions- I've come across a system that appears to have been compromised. It is a Win2K advanced server, and during analysis I found that the DameWare remote control agent version 3.51.1.0 has been installed, which allows remote GUI access by an unauthorized party. The DameWare application is running as a service and listens on TCP port 6129 by default. The attacker has installed the Dameware server application in the default location C:\WINNT\SYSTEM32\DWRCS.EXE and DWRCK.DLL. The owner of the executable is the Administrators group. DWRCS.EXE can be used through command line to install, uninstall, or change the listening port, so any exploit that would have allowed the attacker to execute any command line could have been used. I downloaded the most recent version of the dameware mini remote control from their website (dameware.com) and this installation created an icon in the system tray and introduced several files into the WINNT/System32 directory, as opposed to the two files from version 3.51.1.0. Perhaps the attacker was unable to perform the full install, or perhaps they had cleaned their tracks and had forgotten to remove these two associated files. My attempts to use a current DameWare client to connect to the agent previously installed by the attacker prompted for various types of authentication, leading me to believe that an account had been compromised, either due to poor password choice or from some other method, and that this account was used to connect to the DameWare agent. However, the agent could have been a hacked version that does not require authentication, or could contain some other type of backdoor. As a matter of fact, the server antivirus app (Netshield) reported the presence of the Backdoor-RQ trojan, located at C:\WINNT\System32\SRV1984.exe. The file no longer was present on the system, but I have found a few references to SRV1984 on some non-english web sites, particuarly some sites in China. http://hongniao.diy.163.com/download/houmen.htm http://www.sandflee.net/liu/liuyan/index.asp?user=sandflee&page=4 NAI says this about the RQ trojan: "BackDoor-RQ is a patched copy of the Netcat v1.10 NT application/utility. This patch causes Netcat to act as a remote console server on port 80 and suppresses console messages on the server." and "As an isolated program, this trojan must be run manually on the targeted system. However, BackDoor-RQ is known to be used in conjunction with other applications and utilities by an attacker. Other programs or trojans may be used to execute and suppress the window mentioned as a symptom of this trojan. " What other applications and utilities are they referring to here? Does anyone have any more detailed information? The system was already running IIS on port 80 - of course, the attacker could have disabled it for a while, then set up the RQ trojan in it's place and then restarted IIS. I also came across two unusual instances of "IIS.EXE" running on high TCP ports (as seen by fport) 3380 iis -> 15666 TCP C:\WINNT\SYSTEM32\iis.exe 3380 iis -> 17890 TCP C:\WINNT\SYSTEM32\iis.exe Telnet to port 17890 displays the contents of the c:\winnt\system32\login.txt file, with connection specific variables displayed: 220-Hacked By Seminarian 220-======================================================= 220- Hacked By Seminarian For Team Liquid 220-======================================================= 220-Your IP : <sanitized> 220-======================================================= 220-Kb Received : 0 kb 220-Kb Send : 0 kb 220-======================================================= 220-Average Speed : 0.000 KB/sec 220-Current Speed : 0.000 KB/sec 220-Users Connected : 1 220-Users since ServerStart : 1 220-======================================================= 220-Free space : 2239.41MB MB 220-======================================================= 220-Server Uptime : 0 Days, 10 Hours 220 ======================================================= Typing HELP reveals the following (looks like an FTP server of sorts) 214- The following commands are recognized (* => unimplemented). USER PORT RETR ALLO DELE SITE XMKD CDUP PASS PASV STOR REST CWD STAT RMD XCUP ACCT TYPE APPE RNFR XCWD HELP XRMD STOU REIN STRU SMNT RNTO LIST NOOP PWD SIZE QUIT MODE SYST ABOR NLST MKD XPWD MDTM The site was running many unnecessary services, and was behind on it's patches, so there are many ways that an attacker could gain access, however I was unable to determine the exact course of the attack with all of my usual methods. More analysis is pending. If anyone has any further information, or if you have seen this specific attack or EXE before, or know anything about Team Liquid, please leave a reply or send an email to my address -nospam above. Curt Wilson Netw3 Security Research www.netw3.com netw3at_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 08:38:08 PDT