Security Incidents mailing list archives
Re: looking for help
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 5 Nov 2003 10:49:01 -0800 (PST)
Tina... Comments/questions inline:
I too have had a similar incident on one of our Win2k servers but have not been able to define exactly what went on. We had a report of the following showing up in the logs -
Given the logs, did you ever run fport or openports on the system to determine which process was using which port?
The following was found on this system. WinLog This executable was found to be running and I would suspect that it is not a valid winlog.exe file. This is usually placed on the system for observing sessions (keystroke logger?).
What exactly would constitute a valid winlog.exe file?
EventLog This executable was found to be running and I would suspect that it is not a valid eventlog.exe file. I believe that it was there as an event log modifier so that certain events will not appear in the logs.
What makes you believe this? Is there any evidence to suggest that this is the case? I ask b/c as far as I'm aware, there's only one available executable for removing arbitrary entries from the Event Log, and it's very unstable, and can render a system useless. Also, what constitutes a valid eventlog.exe file? I've searched both my home and work Win2K systems, and don't find any evidence of either a winlog.exe or eventlog.exe file. I know that the Event Logs are viewed using EventVwr.exe...the Event Viewer.
Fport This file was on the server and is sometimes installed with the WinLog.exe and EventLog.exe. In the case of a rogue fport.exe its usual functionality is to hide the rogue ports that are open.
Interesting...your "rogue" fport.exe sounds like a partial rootkit. Were you able to demonstrate or prove that it was hiding open "rogue" ports? If so, how? From your post, it doesn't appear that you ran netstat or fport/openports on the local system.
r_server.exe possibly a RAT (Remote Administration Trojan). As Symantec AntiVirus did not find any viruses on the system, I can only assume that it was an installed RAT as apposed to a RAT dropped by a virus.
Symantec is capable of detection a wide variety (but not all) RATs.
The installation batch file for this process is named lolipop.bat which carries out a silent install.
Do you have a copy of the .bat file?
On my initial investigation the r_server process was not running and did not show up in the open ports listing.
Was this initial investigation done via Task Manager and the netstat command, or via some other method?
After a reboot however it appeared as a running process listening on TCP port 8150. There were numerous references to it in the registry.
Where?
Registry Entries (Spyware?) Under the registry sub-tree [\HKEY_USERS\*SID Admin*\Software\Microsoft\Internet Explorer] the following was found. It may be that there is or has been a spyware program on the server as there were references to “Explorer Bars”. nmap reported the following open ports - SMTP mail server on port 25. DNS Server on port 53. IIS Web Server on port 80. LDAP Server on port 389. IIS Secure Web Server on port 443. ncacn_http on port 593 Terminal Services port 3389 VNC Web Server on port 5800. IIS Web Server on port 5838. WinVNC http on port 5900 VNC protocol on port 5900 Serv-U ftpd on port 8000
Was any of this confirmed w/ fport/openports? Do you have copies of the files you mentioned? Thanks, Harlan --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- looking for help Joyce Looger (Nov 04)
- Re: looking for help Harlan Carvey (Nov 05)
- <Possible follow-ups>
- Re: looking for help tina helbig (Nov 05)
- Re: looking for help Harlan Carvey (Nov 05)
- RE: looking for help Gilmore, Corey (DPC) (Nov 05)