RE: Hacked NT/2K box

From: Marc Maiffret (marc@eeye.com)
Date: 07/23/01 

From: "Marc Maiffret" <marc@eeye.com>
To: <focus-ms@securityfocus.com>
Subject: RE: Hacked NT/2K box
Date: Mon, 23 Jul 2001 09:57:12 -0700
Message-ID: <EIEOJCKGEPCLJHGCNNOPOEELECAA.marc@eeye.com>

www.rootkit.com, don't leave home without it. lots of cool trojan code
there... real NT trojans (kernel level etc...) in the same manner of unix
ones.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

|-----Original Message-----
|From: keydet89@yahoo.com [mailto:keydet89@yahoo.com]
|Sent: Monday, July 23, 2001 4:15 AM
|To: focus-ms@securityfocus.com
|Subject: Hacked NT/2K box
|
|
|When I was at BlackHat and DefCon recently, I was
|having discussions with some folks regarding an
|article I'd written on NT incident response. I'd
|written the article along the same lines as a
|Linux or Solaris incident response procedure, but
|with NT in mind.
|
|The discussion centered around this...having your
|hands on an NT or 2K box that was 'hacked' in much
|the same way as a Linux or Solaris box. I wasn't
|able to find anyone who has seen such a thing. I
|work on an all-NT infrastructure, with 2K systems
|providing web hosting in the data center. Many
|others have similar infrastructures.
|
|When a Linux box is 'hacked' (generally speaking,
|of course), the attacker puts on a rootkit and
|uses that box to step off an attack other systems.
|This isn't something you see with NT. The
|'sadmin/IIS' (poisonbox) worm is another good
|example.
|
|So, my question to the group is this...has anyone
|seen a 'hacked' NT or 2K box? If so, what did you
|find out about it? What technique did the attacker
|use? How did they establish a foothold on the box,
|what tools did they load, and what did they do
|from there? I've already read through JD Glaser's
|BlackHat presentation from '99.
|
|It's been said that NT boxes are easy to hack b/c
|of vulnerabilities to services, but not easy to
|hack b/c you can't 'get on the box' the same way
|you can with Linux or Solaris.
|
|Input is appreciated.
|

Relevant Pages

  • Re: Hacked NT/2K box
    ... Subject: Hacked NT/2K box ... I have been in encounters with many windows boxes that have been compromised ... > the same way as a Linux or Solaris box. ... What technique did the attacker ...
    (Focus-Microsoft)
  • RE: Hacked NT/2K box
    ... Subject: Hacked NT/2K box ... Also along the lines of remote control...all you need is an administrator ... |the same way as a Linux or Solaris box. ... What technique did the attacker ...
    (Focus-Microsoft)
  • Re: Whats with the KDE exploit? Is Fedora patched?
    ... On Linux one normally has a choice of browsers, ... The attacker has to get you to visit their site. ... > Port scanning is easy, and you don't have to find Linux users - your ... > Linux users comprise about 5% of the universal set, ...
    (Fedora)
  • Re: Hey windows lusers, if M$ is so secure, why does it hide behind LINUX?
    ... "Ken Schaefer" wrote in message ... > Microsoft doesn't "hide behind Linux" - Akamai uses Linux. ... > the world, and lots of distributed bandwidth, an attacker can't overwhelm ... > Open Source Now, Open Source Forever! ...
    (microsoft.public.inetserver.iis.security)
  • Re: Akamai Crash Blamed on Linux
    ... " 'Essentially an attacker would need to have enough [compromised computers] ... programs, called 'Phatbot,' has already spread to millions of machines over ... Not Linux, that's for sure! ...
    (alt.os.linux)
Loading