On Mon, Nov 18, 2002 at 12:37:05PM +0100, Bojan Zdrnja wrote: > > I wonder if anyone saw rootkit with this or this was a manual work. > FTP server was empty, only one 1MB file named '1' was in it (probably to > test server's speed). > > Also, I'm not sure how they got in. Machine is Windows 2000 Professional and > had SP2 applied on it, but I'm afraid user had weak local administrator > password (I don't take care of those machines, I was just there to check his > problems). I've seen variants of those .bat-files on a huge number of compromised NT/2000 systems. As far as I know it's just a bunch of scripts that the intruder runs manually after downloading them from either his own box (stupid) or another compromised box. So, how did he get in? I would bet my money on bad or non-existing passwords. Badly configured MS-SQL-servers are another often used way in but maybe not in this case. There is a very powerfull tool written by a Chinese that scans a class B network and collect null passwords or passwords that are the same as the account's name in less then 40 minutes. Since this is a win32 executable it's often found on the compromised systems. It can also be used with a dictionary. Another tool that's often found on those systems is Netcat. It may be used to start a commandshell session to a specific IP-address or to bind cmd.exe to a port that the intruder can us as a backdoor. The tricky part is to find all the binaries. It was a long time since the intruder start to rename the Serv-U FTP binaries to something more legal. Fport or Active Ports can help you out there. It's like lsof -i for Windows. If you really wants to know how many of your boxes that are compromised like this I recomend using Snort (www.snort.org) and the following rules. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"USER"; content: "USER"; flags: A+; dsize: <30; depth: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PASS"; content: "PASS"; flags: A+; dsize: <30; depth: 4;) You might considering a couple of pass rules above those two rules so you don't get all the legal ftp-logins to port 21 and other legal ports. Bear in mind that the rules above might give you a minor shock. If you have a class B net and don't filter TCP 135, 139 and 445 you'll probably have a couple of compromised boxes every day. Happy hunting Johan Augustsson Göteborg University ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 10:23:11 PST