RE: NT Compromise
From: Matthew Leeds (mleeds@theleeds.net)Date: 12/19/01
- Previous message: Nexus: "Re: NT Compromise"
- In reply to: Jignesh Pathak: "RE: NT Compromise"
- Next in thread: Nexus: "Re: NT Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Dec 2001 14:24:14 -0800 From: "Matthew Leeds" <mleeds@theleeds.net> To: incidents@securityfocus.com
If you are running APC Powerchute on your server you may want to look at:
http://archives.neohapsis.com/archives/ntbugtraq/1999-q4/0017.html
---Matthew
*********** REPLY SEPARATOR ***********
On 12/19/2001 at 4:33 PM Jignesh Pathak wrote:
>TCP port 6667 and 6668 are used for IRC (Internet Relay Chat). Looking
>to this it seems that your server might have connection to one of IRC
>server using TCP port 6666. But at the same time TCP port 6666 is used
>by DarkConnection and TCPshell.C Trojans.
>
>You need to run some utility to find out connections. Wish I could have
>handy one.
>
>---------------------------------------------------------------------
>Jignesh Pathak
>System Administrator
>---------------------------------------------------------------------
>
>
>-----Original Message-----
>From: Eric Hines [mailto:eric3+@pitt.edu]
>Sent: Wednesday, December 19, 2001 2:46 PM
>To: incidents@securityfocus.com
>Subject: NT Compromise
>
>Hey all,
>
>I am responding to several compromised NT boxes and am trying to find a
>utility that will allow you to see what program is bound to a particular
>port. I think I've seen one that shows what ports are bound to
>command.com, but need something similar for other programs/trojans/etc.
>Is there something available? Has anyone seen a compromised NT box with
>port 6667 open that does not seem to be running an IRCD? Check out the
>below snippit from netstat. I've tried connecting to the 6667 port with
>MiRC.. Nothing at all! I need to find out what process/application
>opened this port. On this note, can anyone recommend a good forensics
>toolkit for Windows to be used on compromised machines?
>
>C:\ netstat -an
>-- snip --
> TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING
>-- snap --
>
>
>
>2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is?
>I am seeing a compromised NT box full of such logs in the event/security
>viewer. Logs have been pasted below. Notice all of the different
>hostnames/machines its attempting to access. Add 70 something other
>machines to the below list. What is it and is this a sign of a definate
>compromise?
>
>12/17/01 1:16:26 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to READING.
>12/17/01 1:15:11 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to STEELSRV.
>12/17/01 1:14:01 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to PUBLICSAFETY1.
>12/17/01 1:12:51 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to ANITRA-00.
>12/17/01 1:10:41 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to SRFS-PDC.
>12/17/01 1:09:31 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to GODZILLA.
>12/17/01 1:08:21 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to SDMWWW.
>12/17/01 1:07:11 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to EXCHANGE.
>12/17/01 1:06:01 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to PICASSO.
>12/17/01 1:04:51 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to PITT-TV3.
>12/17/01 1:03:51 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to COMPUTERZ.
>12/17/01 1:02:36 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to SDMGENETICS1.
>12/17/01 1:01:36 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to BOHNER2.
>12/17/01 1:00:36 PM Rdr Warning None 3013 N/A
>INTERACT The redirector
>has timed out a request to CALIBAN.
>
>
>Please advise!
>Eric
>
>
>
>
>------------------------------------------------------------------------
>----
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Nexus: "Re: NT Compromise"
- In reply to: Jignesh Pathak: "RE: NT Compromise"
- Next in thread: Nexus: "Re: NT Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
