Security Incidents mailing list archives
Re: FTP and Win2K changed security policy
From: Johan Augustsson <johan.augustsson () adm gu se>
Date: Wed, 20 Nov 2002 08:29:17 +0100
On Mon, Nov 18, 2002 at 12:37:05PM +0100, Bojan Zdrnja wrote:
I wonder if anyone saw rootkit with this or this was a manual work. FTP server was empty, only one 1MB file named '1' was in it (probably to test server's speed). Also, I'm not sure how they got in. Machine is Windows 2000 Professional and had SP2 applied on it, but I'm afraid user had weak local administrator password (I don't take care of those machines, I was just there to check his problems).
I've seen variants of those .bat-files on a huge number of compromised NT/2000 systems. As far as I know it's just a bunch of scripts that the intruder runs manually after downloading them from either his own box (stupid) or another compromised box. So, how did he get in? I would bet my money on bad or non-existing passwords. Badly configured MS-SQL-servers are another often used way in but maybe not in this case. There is a very powerfull tool written by a Chinese that scans a class B network and collect null passwords or passwords that are the same as the account's name in less then 40 minutes. Since this is a win32 executable it's often found on the compromised systems. It can also be used with a dictionary. Another tool that's often found on those systems is Netcat. It may be used to start a commandshell session to a specific IP-address or to bind cmd.exe to a port that the intruder can us as a backdoor. The tricky part is to find all the binaries. It was a long time since the intruder start to rename the Serv-U FTP binaries to something more legal. Fport or Active Ports can help you out there. It's like lsof -i for Windows. If you really wants to know how many of your boxes that are compromised like this I recomend using Snort (www.snort.org) and the following rules. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"USER"; content: "USER"; flags: A+; dsize: <30; depth: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PASS"; content: "PASS"; flags: A+; dsize: <30; depth: 4;) You might considering a couple of pass rules above those two rules so you don't get all the legal ftp-logins to port 21 and other legal ports. Bear in mind that the rules above might give you a minor shock. If you have a class B net and don't filter TCP 135, 139 and 445 you'll probably have a couple of compromised boxes every day. Happy hunting Johan Augustsson Göteborg University ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- FTP and Win2K changed security policy Bojan Zdrnja (Nov 19)
- Re: FTP and Win2K changed security policy Don Voss (Nov 21)
- Re: FTP and Win2K changed security policy Johan Augustsson (Nov 22)
- <Possible follow-ups>
- RE: FTP and Win2K changed security policy Joswiak, Johnny G. (Nov 25)