Re: 'rooted' NT/2K boxen?
From: Jonathan G. Lampe (jonathan@stdnet.com)Date: 05/02/02
- Previous message: Arendt, Jordan ED0: "RE: Rolling out patches"
- In reply to: H C: "'rooted' NT/2K boxen?"
- Next in thread: Jon Miller: "Re: 'rooted' NT/2K boxen?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 02 May 2002 16:12:42 -0500 To: focus-ms@securityfocus.com From: "Jonathan G. Lampe" <jonathan@stdnet.com>
>My question is this...has anyone seen NT/2K boxen
>'rooted', in the sense that a Linux box is usually rooted...
Yes.
>completely taken over, trojaned binaries,
I think the best takeovers involve trojaning the Windows authentication
programs (the "Gina's"). Some simply spool the username/password of
whoever signs onto the box into a clear text file (or the Internet?) for
later retreival...others "hardcode" admin access.
I've also seen people copy "trojaned" cmd.exe or copies of this file over
to rooted boxes, although these files have always been binarily identical
to some actual command prompt...(I'm still waiting to see my first M$
"shell" trojan in the wild.)
>backdoors, users installed,
I have yet to see a rooted M$ box with less-than-administrator users
installed by malicious people. It appears if someone wants to use the box
for warez, they generally install a trojaned, "third-party" FTP
server. (More features, better control...the usual reasons people avoid
IIS FTP...)
>If so, what, if any, info would you be willing to
>share about the system?
Pretty much all were unpatched systems. About half the ones I saw had been
previously hacked (they were "known targets"). All were either exposed to
the Internet or on the same segment as an Internet-exposed box.
- Jonathan Lampe
- jonathan@stdnet.com
- Previous message: Arendt, Jordan ED0: "RE: Rolling out patches"
- In reply to: H C: "'rooted' NT/2K boxen?"
- Next in thread: Jon Miller: "Re: 'rooted' NT/2K boxen?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
