Security Incidents mailing list archives
Re: Compromised Win2000 machine. - Follow UP
From: Daniel Hay <dhay () drexel edu>
Date: Thu, 30 May 2002 17:27:41 -0400
OK I managed to sniff the password for the "login" program after tcpkill'ing the irc connection of the bot several times, in the hope the "owner" of the bot would login and try to figure out what was happening and sure enough it only took about 10 minutes and i had the password. I was able to use it to login the say way the warez pups did. The program that was listening on port 4160 was called wollf, the program is available from www.xfocus.org.
From their website "Extended Telnet Services, support file transfers, support reverse-connect through firewall, you can use a option to start it as a serivce or a general process."
It seems pretty powerful from what I seen dinking around with it this afternoon, it allowed the remote user to "export" a cmd.exe shell on any port you choose, it allowed you to get process listings and screen listings, kill processes, ftp put and get files from other ftp sites, telnet from the compromised host to other hosts, view files on the system rename and delete files etc etc.
After speaking with the user this afternoon I was informed that the machine did infact have a NULL admin password but they dont use the admin account so they never noticed the password had been reset. The warez pups had their junk in 2 hidden directories in c:\winnt\system32\sys32 and c:\winnt\system32\sysfiles
I had the user zip these directories and send them to me, if anyone wants to check them out drop me a line, the zip files are the complete directory and structure minus the 12 gig of movies, porn and games :). After running ngrep and looking for the login banner "wollf" I managed to find 3 other dorm machines on campus that had been hit by the same person using the same password, directory structure and ports so if you find something you think maybe the wollf program on port 4160 drop me a line and i'll give you the password because chances are its the same kid.
Cheers Danny H C wrote:
Some additional thoughts on this particular issue......but I thought the advice for a (possibly)compromised box was *not* to run executable programs that resided on thathost, as they can't be trusted?While I definitely recommend burning your tools...even the ones shipped w/ NT/2K, including cmd.exe...to a CD, to be quite honest, has anyone ever actually seen a system w/ a trojaned netstat? Now, I know many folks are going to pump their arms into the air...so let me clarify...this is a 2K box. Has anyone ever seen a trojaned cmd.exe or netstat.exe? Has anyone seen netstat.exe on an NT or 2K system "trojaned" so as to NOT show certain connects...but otherwise, it works fine? Remember...the Linux/*nix architectures are different from that of NT/2K...and XP. I'm not saying that this can't be done...I'm simply asking if anyone can show, with proof, that this *has* been done? And it doesn't have to be just netstat.exe...it can be any other native tool. And binding the .exe file using SaranWrap or EliteWrap doesn't count, as the basic functionality still exists and all network connects (netstat) will still be shown... __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised Win2000 machine. Daniel Hay (May 28)
- Re: Compromised Win2000 machine. H C (May 28)
- RE: Compromised Win2000 machine. Kit (May 28)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- RE: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Daniel Hay (May 29)
- Re: Compromised Win2000 machine. Mark Newby (May 29)
- Re: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Patrick Andry (May 29)
- Re: Compromised Win2000 machine. H C (May 30)
- Re: Compromised Win2000 machine. - Follow UP Daniel Hay (May 30)
- Re[2]: Compromised Win2000 machine. Joris De Donder (May 31)
- Re: Re[2]: Compromised Win2000 machine. H C (May 31)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- <Possible follow-ups>
- Re: Compromised Win2000 machine. ghb the irrepressible (May 29)