TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid

From: Netw3 Security Research (nospamnetw3at_private)
Date: Sat Aug 24 2002 - 02:19:47 PDT

  • Next message: NESTING, DAVID M (SBCSI): "RE: What's going on here?"

    Greetings. This is a basic analysis and a few questions-
    I've come across a system that appears to have been compromised. It is a
    Win2K advanced server, and during analysis I found that the DameWare remote
    control agent version has been installed, which allows remote GUI
    access by an unauthorized party. The DameWare application is running as a
    service and listens on TCP port 6129 by default. The attacker has installed
    the Dameware server application in the default location
    C:\WINNT\SYSTEM32\DWRCS.EXE and DWRCK.DLL. The owner of the executable is
    the Administrators group. DWRCS.EXE can be used through command line to
    install, uninstall, or change the listening port, so any exploit that would
    have allowed the attacker to execute any command line could have been used. 
    I downloaded the most recent version of the dameware mini remote control
    from their website ( and this installation created an icon in
    the system tray and introduced several files into the WINNT/System32
    directory, as opposed to the two files from version Perhaps the
    attacker was unable to perform the full install, or perhaps they had
    cleaned their tracks and had forgotten to remove these two associated files.
    My attempts to use a current DameWare client to connect to the agent
    previously installed by the attacker prompted for various types of
    authentication, leading me to believe that an account had been compromised,
    either due to poor password choice or from some other method, and that this
    account was used to connect to the DameWare agent. However, the agent could
    have been a hacked version that does not require authentication, or could
    contain some other type of backdoor. As a matter of fact, the server
    antivirus app (Netshield) reported the presence of the Backdoor-RQ trojan,
    located at C:\WINNT\System32\SRV1984.exe. The file no longer was present on
    the system, but I have found a few references to SRV1984 on some
    non-english web sites, particuarly some sites in China. 
    NAI says this about the RQ trojan:
    "BackDoor-RQ is a patched copy of the Netcat v1.10 NT application/utility.
    This patch causes Netcat to act as a remote console server on port 80 and
    suppresses console messages on the server." 
    "As an isolated program, this trojan must be run manually on the targeted
    system. However, BackDoor-RQ is known to be used in conjunction with other
    applications and utilities by an attacker. Other programs or trojans may be
    used to execute and suppress the window mentioned as a symptom of this
    trojan. "
    What other applications and utilities are they referring to here? Does
    anyone have any more detailed information?
    The system was already running IIS on port 80 - of course, the attacker
    could have disabled it for a while, then set up the RQ trojan in it's place
    and then restarted IIS. I also came across two unusual instances of
    "IIS.EXE" running on high TCP ports (as seen by fport)
    3380  iis            ->  15666 TCP   C:\WINNT\SYSTEM32\iis.exe     
    3380  iis            ->  17890 TCP   C:\WINNT\SYSTEM32\iis.exe     
    Telnet to port 17890 displays the contents of the
    c:\winnt\system32\login.txt file, with connection specific variables
    220-Hacked By Seminarian
    220-        Hacked By Seminarian For Team Liquid
    220-Your IP                     : <sanitized>
    220-Kb Received                 : 0 kb
    220-Kb Send                     : 0 kb
    220-Average Speed               : 0.000 KB/sec
    220-Current Speed               : 0.000 KB/sec
    220-Users Connected             : 1
    220-Users since ServerStart     : 1
    220-Free space                  : 2239.41MB MB
    220-Server Uptime               : 0 Days, 10 Hours
    220 =======================================================
    Typing HELP reveals the following (looks like an FTP server of sorts)
    214- The following commands are recognized (* => unimplemented).
       USER    PORT    RETR    ALLO    DELE    SITE    XMKD    CDUP
       PASS    PASV    STOR    REST    CWD     STAT    RMD     XCUP
       ACCT    TYPE    APPE    RNFR    XCWD    HELP    XRMD    STOU
       REIN    STRU    SMNT    RNTO    LIST    NOOP    PWD     SIZE
       QUIT    MODE    SYST    ABOR    NLST    MKD     XPWD    MDTM
    The site was running many unnecessary services, and was behind on it's
    patches, so there are many ways that an attacker could gain access, however
    I was unable to determine the exact course of the attack with all of my
    usual methods. More analysis is pending.
    If anyone has any further information, or if you have seen this specific
    attack or EXE before, or know anything about Team Liquid, please leave a
    reply or send an email to my address -nospam above.
    Curt Wilson
    Netw3 Security Research
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 08:38:08 PDT