Security Incidents mailing list archives
Re: Trojan of somesort - Update
From: "Bob the Builder" <builder173 () hotmail com>
Date: Thu, 27 May 2004 14:58:56 +0000
Hi all, thanks for everyone's response so far, here is some additional information:
Suspicious ports that were accessable via TCP scan included: 3181/tcp open unknown 6767/tcp open unknown 6768/tcp open unknown 7777/tcp open unknown 10128/tcp open unknown 20200/tcp open msrpc Microsoft Windows msrpc25252/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) The FTP service was running on 7777, and I am taking this to have been ServU-FTP as I found this binary on the box.
Additional information returned from nmap regarding suspicious ports was: ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3181-TCP:V=3.50%D=5/21%Time=40AE052D%P=i686-pc-linux-gnu%r(NULL,D," SF:Who\x20are\x20you\?\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port7777-TCP:V=3.50%D=5/21%Time=40AE052F%P=i686-pc-linux-gnu%r(NULL,30, SF:"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C@S\xa3 SF:!!!\r\n")%r(GenericLines,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On SF:\x20Da\x20FUcKiNG\x20C@S\xa3!!!\r\n")%r(GetRequest,44,"220\x20SiGN\x20- SF:\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C@S\xa3!!!\r\n530\x20Not SF:\x20logged\x20in\.\r\n")%r(HTTPOptions,44,"220\x20SiGN\x20-\x20FR33-FXP SF:3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C@S\xa3!!!\r\n530\x20Not\x20logged\x SF:20in\.\r\n")%r(RTSPRequest,44,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20 SF:On\x20Da\x20FUcKiNG\x20C@S\xa3!!!\r\n530\x20Not\x20logged\x20in\.\r\n") SF:%r(RPCCheck,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUc SF:KiNG\x20C@S\xa3!!!\r\n")%r(DNSVersionBindReq,30,"220\x20SiGN\x20-\x20FR SF:33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C@S\xa3!!!\r\n")%r(DNSStatusRe SF:quest,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x SF:20C@S\xa3!!!\r\n")%r(Help,1F6,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20 SF:On\x20Da\x20FUcKiNG\x20C@S\xa3!!!\r\n214-\x20The\x20following\x20comman SF:ds\x20are\x20recognized\x20\(\*\x20=>\x20unimplemented\)\.\r\n\x20\x20\ SF:x20USER\x20\x20\x20\x20PORT\x20\x20\x20\x20RETR\x20\x20\x20\x20ALLO\x20 SF:\x20\x20\x20DELE\x20\x20\x20\x20SITE\x20\x20\x20\x20XMKD\x20\x20\x20\x2 SF:0CDUP\x20\x20\x20\x20FEAT\r\n\x20\x20\x20PASS\x20\x20\x20\x20PASV\x20\x SF:20\x20\x20STOR\x20\x20\x20\x20REST\x20\x20\x20\x20CWD\x20\x20\x20\x20\x SF:20STAT\x20\x20\x20\x20RMD\x20\x20\x20\x20\x20XCUP\x20\x20\x20\x20OPTS\r SF:\n\x20\x20\x20ACCT\x20\x20\x20\x20TYPE\x20\x20\x20\x20APPE\x20\x20\x20\ SF:x20RNFR\x20\x20\x20\x20XCWD\x20\x20\x20\x20HELP\x20\x20\x20\x20XRMD\x20 SF:\x20\x20\x20STOU\r\n\x20\x20\x20REIN\x20\x20\x20\x20STRU\x20\x20\x20\x2 SF:0SMNT\x20\x20\x20\x20RNTO\x20\x20\x20\x20LIST\x20\x20\x20\x20NOOP\x20\x SF:20\x20\x20PWD\x20\x20\x20\x20\x20SIZE\r\n\x20\x20\x20QUIT\x20\x20\x20\x SF:20MODE\x20\x20\x20\x20SYST\x20\x20\x20\x20ABOR\x20\x20\x20\x20NLST\x20\ SF:x20\x20\x20MKD\x20\x20\x20\x20\x20XPWD\x20\x20\x20\x20MDTM\r\n214\x20Di SF:rect\x20comments\x20or\x20bugs\x20to\x20bugs@bugs\.com\.\r\n")%r(SSLSes SF:sionReq,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG SF:\x20C@S\xa3!!!\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port10128-TCP:V=3.50%D=5/21%Time=40AE052F%P=i686-pc-linux-gnu%r(Generic SF:Lines,6,"SDPACK")%r(GetRequest,6,"SDPACK")%r(HTTPOptions,6,"SDPACK")%r( SF:RTSPRequest,6,"SDPACK")%r(RPCCheck,6,"SDPACK")%r(DNSVersionBindReq,6,"S SF:DPACK")%r(DNSStatusRequest,6,"SDPACK")%r(Help,6,"SDPACK")%r(SSLSessionR SF:eq,6,"SDPACK")%r(SMBProgNeg,6,"SDPACK")%r(X11Probe,6,"SDPACK")%r(LPDStr SF:ing,6,"SDPACK")%r(LDAPBindReq,6,"SDPACK")%r(LANDesk-RC,6,"SDPACK")%r(Te SF:rminalServer,6,"SDPACK")%r(NCP,6,"SDPACK")%r(NotesRPC,6,"SDPACK")%r(WMS SF:Request,6,"SDPACK")%r(oracle-tns,6,"SDPACK");There were no obvious suspicious connections in netstat, of course this could be because the binary had been modified, but the machine is behind a load balancer. As the load balancer had been set not to send any connections to it (due a loss in performance) the probability of there having been active connections to the box at the time is slim.
Other than the ServU files and some sort of crude looking port scanner so far I haven't been able to find anything else. Does anyone know of a program that can be used to scan for trojans offline, as I now of the machines disk loaded into my forensics system. I want to find out what other ports I need to be suspicous of so that I can scan the rest of the network for them to see if anything else looks compromised. I plan at some point to try and reboot the system connected to a standalone switch to see what services come back up and see if I can track them to any interesting local files.
Cheers, Bob _________________________________________________________________Express yourself with the new version of MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Current thread:
- Re: Trojan of somesort - Update Bob the Builder (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- RE: Trojan of somesort - Update James C Slora Jr (May 28)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update James C Slora Jr (May 29)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)