RE: NT Compromise

From: Jignesh Pathak (pathak@hitechprofessionals.com)
Date: 12/19/01


From: "Jignesh Pathak" <pathak@hitechprofessionals.com>
To: "'Eric Hines'" <eric3+@pitt.edu>, <incidents@securityfocus.com>
Date: Wed, 19 Dec 2001 16:33:06 -0500

TCP port 6667 and 6668 are used for IRC (Internet Relay Chat). Looking
to this it seems that your server might have connection to one of IRC
server using TCP port 6666. But at the same time TCP port 6666 is used
by DarkConnection and TCPshell.C Trojans.

You need to run some utility to find out connections. Wish I could have
handy one.

---------------------------------------------------------------------
Jignesh Pathak
System Administrator
---------------------------------------------------------------------

-----Original Message-----
From: Eric Hines [mailto:eric3+@pitt.edu]
Sent: Wednesday, December 19, 2001 2:46 PM
To: incidents@securityfocus.com
Subject: NT Compromise

Hey all,

I am responding to several compromised NT boxes and am trying to find a
utility that will allow you to see what program is bound to a particular
port. I think I've seen one that shows what ports are bound to
command.com, but need something similar for other programs/trojans/etc.
Is there something available? Has anyone seen a compromised NT box with
port 6667 open that does not seem to be running an IRCD? Check out the
below snippit from netstat. I've tried connecting to the 6667 port with
MiRC.. Nothing at all! I need to find out what process/application
opened this port. On this note, can anyone recommend a good forensics
toolkit for Windows to be used on compromised machines?

C:\ netstat -an
-- snip --
  TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING
  TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING
-- snap --

2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is?
I am seeing a compromised NT box full of such logs in the event/security
viewer. Logs have been pasted below. Notice all of the different
hostnames/machines its attempting to access. Add 70 something other
machines to the below list. What is it and is this a sign of a definate
compromise?

12/17/01 1:16:26 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to READING.
12/17/01 1:15:11 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to STEELSRV.
12/17/01 1:14:01 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to PUBLICSAFETY1.
12/17/01 1:12:51 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to ANITRA-00.
12/17/01 1:10:41 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to SRFS-PDC.
12/17/01 1:09:31 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to GODZILLA.
12/17/01 1:08:21 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to SDMWWW.
12/17/01 1:07:11 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to EXCHANGE.
12/17/01 1:06:01 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to PICASSO.
12/17/01 1:04:51 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to PITT-TV3.
12/17/01 1:03:51 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to COMPUTERZ.
12/17/01 1:02:36 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to SDMGENETICS1.
12/17/01 1:01:36 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to BOHNER2.
12/17/01 1:00:36 PM Rdr Warning None 3013 N/A
INTERACT The redirector
has timed out a request to CALIBAN.

Please advise!
Eric

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: How to PostThreadMessages?
    ... can the machine terminate a connection WHILE transferring a ... So, you post a request for a file, a machine sends a response that contains ... This thread will send the keep-alive signals until the User disconnects ... check that the port is clear, block the port, read from the port, then ...
    (microsoft.public.vc.mfc)
  • Re: HTTPhandlers
    ... When I try to have the> TcpListener listen on port 80 I get this error stating that port is already> in use or something. ... > Some request get redirected and others are left to any other process that> wants them like IIS or some other web server. ... >> The link you provided does not explain how to hold a connection open over HTTP - unless the answers to the query do, but this requires a subscription which I'm not prepared to pay. ... Is there any other way for me to be able to see the technique that keeps an HTTP based connection active over a long period? ...
    (microsoft.public.dotnet.framework)
  • Re: HTTPhandlers
    ... One thing you can probably do is to have a different port based server to ... which you make the request to do the connection with the user and maintain ... > It comes down to that I have written this very efficient DHTML chat server> that maintains an active connection with the browser. ... >> information about an individual HTTP request. ...
    (microsoft.public.dotnet.framework)
  • Malicious use of grc.com
    ... ShieldsUpis an application developed by Steve Gibson of Gibson ... Research Corporation that allows a web user to request a remote port scan ... ShieldsUp happily scans the other box while returning the result set into ...
    (NT-Bugtraq)
  • Re: Socket Pools?
    ... Get the users to use a UDP Port to request a Connection, ... > I want users of this class to be able to request a socket and if one isn't ...
    (microsoft.public.dotnet.languages.csharp)