Security Incidents mailing list archives
Re: looking for help
From: tina helbig <t.helbig () ecu edu au>
Date: 5 Nov 2003 06:53:30 -0000
In-Reply-To: <01c201c3a2d4$75b812b0$1208e592@MARS> I too have had a similar incident on one of our Win2k servers but have not been able to define exactly what went on. We had a report of the following showing up in the logs - Oct 12 00:12:03 DENY proto tcp x.x.x.x:2984 167.28.103.30:4898 L=48 S=0x00 I=4343 F=0x4000 T=101 SYN Oct 12 00:12:06 DENY proto tcp x.x.x.x:2984 167.28.103.30:4898 L=48 S=0x00 I=4848 F=0x4000 T=101 SYN The following was found on this system. WinLog This executable was found to be running and I would suspect that it is not a valid winlog.exe file. This is usually placed on the system for observing sessions (keystroke logger?). EventLog This executable was found to be running and I would suspect that it is not a valid eventlog.exe file. I believe that it was there as an event log modifier so that certain events will not appear in the logs. Fport This file was on the server and is sometimes installed with the WinLog.exe and EventLog.exe. In the case of a rogue fport.exe its usual functionality is to hide the rogue ports that are open. Serv-U FTP was found to be installed and running on the server listening on port 8000. Users listed in the ini file were Crew, MMC and leech3r. Logging and associated log files were set to off. r_server.exe possibly a RAT (Remote Administration Trojan). As Symantec AntiVirus did not find any viruses on the system, I can only assume that it was an installed RAT as apposed to a RAT dropped by a virus. The installation batch file for this process is named lolipop.bat which carries out a silent install. On my initial investigation the r_server process was not running and did not show up in the open ports listing. After a reboot however it appeared as a running process listening on TCP port 8150. There were numerous references to it in the registry. mss .ini file which displayed the settings for P2P file sharing. dir.mk.cmd which was a batch file that created a hidden directory tracking. Within this directory it created directories \com1\lpt2\com1\a\ and then two directories stuff and curry. Registry Entries (Spyware?) Under the registry sub-tree [\HKEY_USERS\*SID Admin*\Software\Microsoft\Internet Explorer] the following was found. It may be that there is or has been a spyware program on the server as there were references to Explorer Bars. nmap reported the following open ports - SMTP mail server on port 25. DNS Server on port 53. IIS Web Server on port 80. LDAP Server on port 389. IIS Secure Web Server on port 443. ncacn_http on port 593 Terminal Services port 3389 VNC Web Server on port 5800. IIS Web Server on port 5838. WinVNC http on port 5900 VNC protocol on port 5900 Serv-U ftpd on port 8000 Ethereal analysis of traffic appeared to be normal session traffic although of a limited nature due to being connected to a disabled port.
We have recently discovered several hacked machines on our campus and have so far not been able to determine what vulnerability has been exploited. We have not been able to find references to this anywhere we have looked. The original breakin evidently occurred in June or on July 1st. A file called "hax.bat" was placed on the victim machines, and the scheduler was set to invoke it. Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file. In addition, virus software and firewall software was stopped. Activation of the ftp service occurred on Oct. 15. These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet, and since the original breakin seems to have been June or July, we do not have sufficient logs going back that far. We also don't have the expertise that others have. If anyone has a clue about this, we would appreciate any tidbit of information. Joyce Looger, Tony Wenden, Jerry Brown Computer and Network Services Universiy of Alabama in Huntsville 824-2607 --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- looking for help Joyce Looger (Nov 04)
- Re: looking for help Harlan Carvey (Nov 05)
- <Possible follow-ups>
- Re: looking for help tina helbig (Nov 05)
- Re: looking for help Harlan Carvey (Nov 05)
- RE: looking for help Gilmore, Corey (DPC) (Nov 05)