Re: Compromised Win2000 machine.

[H C <keydet89 () yahoo com>]

Daniel,

I'm curious as to why you haven't run fport on the
system?  This would tell you which process is using
that port.  You could then shut the process down, and
take a closer look at the executable.


--- Daniel Hay <dhay () drexel edu> wrote:
> Hey,
>           Today i found a windows machine located in
> our dorms that had 
> been compromised, but unlike most of the compromised
> machines i see come 
> out of the dorms the Admin password was actually set
> and it was set to 
> something other than NULL or Administrator.  The
> attacker set up 2 
> Serv-U ftpd's on the host on high ports 23432 and
> 65531 to be exact, 
> they also installed a warez eggdrop bot that
> connects to the newnet IRC 
> Network and servs via the #warez-excell channel. The
> thing that puzzles 
> me and i've not been able to get any information on
> it through web 
> searches and mailing lists so far, on port 4160
> there seems to be a 
> login prompt. When you nc to the port you are
> presented with the following
>
> [dhay@ob-1 dhay]$ nc compromise.host.edu 4160
> Login: administrator
>
> Invalid password!!!
> login:
>
>
> An nc to the auth port (113) yields
>
>
>  [dhay@ob-1 dhay]$ nc 144.118.217.84 113
>
> 934 , 6667 : USERID : UNIX : bitch
>
>
>
> I'm hoping someone notices the shift from Uppercase
> "L" in login to 
> lower case after you fail to login and recognizes it
> as a known 
> backdoor? or  something similar... does anyone know
> of any canned 
> rootkits ( for want of a better term ) that acts in
> the way i've 
> described above? I'll paste the output of nmap -sS
> -sU -p 1-65535 below
>
>
> Port       State       Service
> 99/tcp     open        metagram               
> 113/tcp    open        auth                   
> 135/tcp    open        loc-srv                
> 135/udp    open        loc-srv                
> 137/udp    open        netbios-ns             
> 138/udp    open        netbios-dgm            
> 139/tcp    open        netbios-ssn            
> 445/tcp    open        microsoft-ds           
> 445/udp    open        microsoft-ds           
> 500/udp    open        isakmp                 
> 1025/tcp   open        listen                 
> 1026/udp   open        unknown                
> 4160/tcp   open        unknown                
> 23432/tcp  open        unknown                
> 65531/tcp  open        unknown                
>
>
>
> Cheers
> Danny 
> Drexel University
> Network Security Engineer
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com