FTP and Win2K changed security policy

From: Bojan Zdrnja (Bojan.Zdrnjaat_private)
Date: Mon Nov 18 2002 - 03:37:05 PST

Next message: Rob Shein: "RE: Fraudulent use of ebay's name"

Previous message: Mally Mclane: "Re: Help - a possible bot"
Next in thread: Don Voss: "Re: FTP and Win2K changed security policy"
Reply: Don Voss: "Re: FTP and Win2K changed security policy"
Reply: Johan Augustsson: "Re: FTP and Win2K changed security policy"
Reply: Joswiak, Johnny G.: "RE: FTP and Win2K changed security policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm sending this 2nd time because I didn't receive any message neither from
moderator or on ML.

Hi everyone.

Today one of employees on my university asked me to check his machine as he
couldn't use Netmeeting anymore for remote desktop sharing .
Some people here use Netmeeting to easy control their machines from home (I
know I should have banned that before on lower level, but ...).
After I couldn't find his machine on our domain (and he was added) I went to
his computer and saw that he hasn't got Sophos started at all. Every time I
tried to start Sophos it would just hang. Things became interesting at that
point (for me, not him :).

After examining the machine I saw one suspicious process running, under the
name service.exe. This process was listening on port 62345 and it was
actually a Serv-U FTP server in leech mode (just like one we discussed on
this ML few days before).
FTP server was installed in directory c:\winnt\system\tools.
That directory also contained one very interesting subdirectory named win.
In this directory I found a program named win.exe and few .bat files (named
secure.bat and secure1.bat), as well as cygwin dll's and so on. It appears
that this program is used to set whatever security policy he wanted on the
machine, which you can see in secure.bat file. Obviously, his policy didn't
work quite well as he also removed possibility for user to log-on over
Netmeeting (that's why user called me at the first point).

I wonder if anyone saw rootkit with this or this was a manual work.
FTP server was empty, only one 1MB file named '1' was in it (probably to
test server's speed).

Also, I'm not sure how they got in. Machine is Windows 2000 Professional and
had SP2 applied on it, but I'm afraid user had weak local administrator
password (I don't take care of those machines, I was just there to check his
problems).

If needed, I have those directories in a zip archive so I can send it to
someone if you need it.

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Shein: "RE: Fraudulent use of ebay's name"
Previous message: Mally Mclane: "Re: Help - a possible bot"
Next in thread: Don Voss: "Re: FTP and Win2K changed security policy"
Reply: Don Voss: "Re: FTP and Win2K changed security policy"
Reply: Johan Augustsson: "Re: FTP and Win2K changed security policy"
Reply: Joswiak, Johnny G.: "RE: FTP and Win2K changed security policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 21:08:42 PST