Ok, just a quick note to everyone who's wondering about logon.dll. I
noticed it was impossibly small (687 bytes, to be precise) and didn't have
executable headers. So, I opened it in a text editor...this is what it
says:
<begin quote>
\\ //
(o o)
###+----oOO--(_)--OOo----+###
|| -=[ HacKd BY THALLIA ]=- ||
|| -=[ Il est actuellement %TIME ]=- ||
|| -=[ Vous κtes le %unow ιme connectι ]=- ||
|| -=[ sur un total de %MaxUsers users ]=- ||
|| -=[ Nombre d'users qui se sont deja connectιs %loggedInAll users ]=-
||
|| -=[ Serveur on ligne depuis %Serverdays Days, %ServerHours Hours,
%ServerMins Minutes, %ServerSecs Seconds ]=- ||
|| -=[ La bande passante utilisιe actuellement est %ServerKBps ]=- ||
|| -=[ Nonbre de Ko Up %ServerKbUp ]=- ||
|| -=[ Nombre de Ko Dwl %ServerKbDown ]=- ||
<end quote>
I saw that go2.bat makes a directory in
c:\winnt\system32\spool\drivers\color\tmp\a and starts up serv-u FTP (5
times, apparently). "Log.txt" is used to report various statistics for
"Guyver," which I am not familiar with but appears to be some kind of rogue
FTP server system. Explorer.exe appears to be the ftp daemon itself.
"Save.bat" does something very interesting...it removes all default
administrative shares, which tends to make me think that this is how the
machine was hacked in the first place; the hackers are just making sure
nobody comes in behind them the same way.
"1.txt" is an ftp script that pulls down log.txt, su.exe (which is also a
serv-u daemon executable...interesting), and ServUDaemon.ini. It connects
to an anonymous account on 65.26.36.203 (a RoadRunner cablemodem user IP) to
retrieve these files.
DWRCS is DameWare's remote control system, much like WinVNC.
Are they sure this system was hacked by a former employee? They should be
very, very careful before they go down that path, unless they have some
significant information that points to him. It looks like they had either a
vulnerable IIS install (based on logs contained in the RAR file) or default
shares that got utilized, from what I've looked at. This is more likely a
random hit than anything else.
-----Original Message-----
From: Nick Jacobsen [mailto:nickat_private]
Sent: Thursday, April 03, 2003 3:43 PM
To: incidentsat_private
Subject: Re: Logon.dll? Possible root-kit?
Ok here is link to a rar of the suspected files:
http://www.ethicsdesign.com/HackLog.rar
As some of you said, it looks like there is not a rootkit installed, and it
looks like this was an attempt at making this box join a botnet. A kindly
IRCOp has offered to both decompile the bot dll, and to remove the offending
channel (#thallia), so that is taken care of. Anyway, I did manage to
convince my clients that this was serious enough to warant a wipe of the
data on the machine. I am waiting to see what your analysis of these files
are.
Thank You,
Nick Jacobsen
nickat_private
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 16:44:06 PST