Re: Compromised Win2000 machine. - Follow UP

[Daniel Hay <dhay () drexel edu>]

OK I managed to sniff the password for the "login" program after 
tcpkill'ing the irc connection of the bot several times, in the hope the 
"owner" of the bot would login and try to figure out what was happening 
and sure enough it only took about 10 minutes and i had the password. I 
was able to use it to login the say way the warez pups did.  The program 
that was listening on port 4160 was called wollf, the program is 
available from www.xfocus.org.

From their website "Extended Telnet Services, support file transfers, 
support reverse-connect through firewall, you can use a option to start 
it as a serivce or a general process."

It seems pretty powerful from what I seen dinking around with it this 
afternoon, it allowed the remote user to "export" a cmd.exe shell on any 
port you choose, it allowed you to get process listings and screen 
listings, kill processes, ftp put and get files from other ftp sites, 
telnet from the compromised host to other hosts, view files on the 
system rename and delete files etc etc.

After speaking with the user this afternoon I was informed that the 
machine did infact have a NULL admin password but they dont use the 
admin account so they never noticed the password had been reset. The 
warez pups had their junk in 2 hidden directories in 
c:\winnt\system32\sys32 and c:\winnt\system32\sysfiles

I had the user zip these directories and send them to me,  if anyone 
wants to check them out drop me a line, the zip files are the complete 
directory and structure minus the 12 gig of movies, porn and games :). 
After running ngrep and looking for the login banner "wollf" I managed 
to find 3 other dorm machines on campus that had been hit by the same 
person using the same password, directory structure and ports so if you 
find something you think maybe the wollf program on port 4160 drop me a 
line and i'll give you the password because chances are its the same kid.

Cheers
Danny



H C wrote:

> Some additional thoughts on this particular issue...
>
> > ...but I thought the advice for a (possibly)
> > compromised box was *not* 
> > to run executable programs that resided on that
> > host, as they can't be trusted?
>
> While I definitely recommend burning your tools...even
> the ones shipped w/ NT/2K, including cmd.exe...to a
> CD, to be quite honest, has anyone ever actually seen
> a system w/ a trojaned netstat?  Now, I know many
> folks are going to pump their arms into the air...so
> let me clarify...this is a 2K box.  Has anyone ever
> seen a trojaned cmd.exe or netstat.exe?  Has anyone
> seen netstat.exe on an NT or 2K system "trojaned" so
> as to NOT show certain connects...but otherwise, it
> works fine?
>
> Remember...the Linux/*nix architectures are different
> from that of NT/2K...and XP.  I'm not saying that this
> can't be done...I'm simply asking if anyone can show,
> with proof, that this *has* been done?  And it doesn't
> have to be just netstat.exe...it can be any other
> native tool.  And binding the .exe file using
> SaranWrap or EliteWrap doesn't count, as the basic
> functionality still exists and all network connects
> (netstat) will still be shown...
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com