Your case fits a scenario I just finished investigating. See http://www.russonline.net/tonikgin/EduHacking.html and you'll probably find an exact match of what happened except for maybe firedaemon since it really isn't needed with Dameware there. Look close at the "dll" files in those directories with notepad or a hex editor and you'll find the irc configs, etc. There will be other files but I'm sure you'll find them. The box will be better off being reloaded, no local admin accts, etc. Johnny -----Original Message----- From: Bojan Zdrnja [mailto:Bojan.Zdrnjaat_private] Sent: Monday, November 18, 2002 5:37 AM To: incidentsat_private Subject: FTP and Win2K changed security policy I'm sending this 2nd time because I didn't receive any message neither from moderator or on ML. Hi everyone. Today one of employees on my university asked me to check his machine as he couldn't use Netmeeting anymore for remote desktop sharing . Some people here use Netmeeting to easy control their machines from home (I know I should have banned that before on lower level, but ...). After I couldn't find his machine on our domain (and he was added) I went to his computer and saw that he hasn't got Sophos started at all. Every time I tried to start Sophos it would just hang. Things became interesting at that point (for me, not him :). After examining the machine I saw one suspicious process running, under the name service.exe. This process was listening on port 62345 and it was actually a Serv-U FTP server in leech mode (just like one we discussed on this ML few days before). FTP server was installed in directory c:\winnt\system\tools. That directory also contained one very interesting subdirectory named win. In this directory I found a program named win.exe and few .bat files (named secure.bat and secure1.bat), as well as cygwin dll's and so on. It appears that this program is used to set whatever security policy he wanted on the machine, which you can see in secure.bat file. Obviously, his policy didn't work quite well as he also removed possibility for user to log-on over Netmeeting (that's why user called me at the first point). I wonder if anyone saw rootkit with this or this was a manual work. FTP server was empty, only one 1MB file named '1' was in it (probably to test server's speed). Also, I'm not sure how they got in. Machine is Windows 2000 Professional and had SP2 applied on it, but I'm afraid user had weak local administrator password (I don't take care of those machines, I was just there to check his problems). If needed, I have those directories in a zip archive so I can send it to someone if you need it. Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 09:57:33 PST