Re: Compromised Win2000 machine.
From: H C (keydet89@yahoo.com)Date: 05/28/02
- Previous message: Kevin: "Re: strange account in Win2k"
- In reply to: Daniel Hay: "Compromised Win2000 machine."
- Next in thread: Kit: "RE: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 May 2002 14:35:00 -0700 (PDT) From: H C <keydet89@yahoo.com> To: Daniel Hay <dhay@drexel.edu>, incidents@securityfocus.com
Daniel,
I'm curious as to why you haven't run fport on the
system? This would tell you which process is using
that port. You could then shut the process down, and
take a closer look at the executable.
--- Daniel Hay <dhay@drexel.edu> wrote:
> Hey,
> Today i found a windows machine located in
> our dorms that had
> been compromised, but unlike most of the compromised
> machines i see come
> out of the dorms the Admin password was actually set
> and it was set to
> something other than NULL or Administrator. The
> attacker set up 2
> Serv-U ftpd's on the host on high ports 23432 and
> 65531 to be exact,
> they also installed a warez eggdrop bot that
> connects to the newnet IRC
> Network and servs via the #warez-excell channel. The
> thing that puzzles
> me and i've not been able to get any information on
> it through web
> searches and mailing lists so far, on port 4160
> there seems to be a
> login prompt. When you nc to the port you are
> presented with the following
>
> [dhay@ob-1 dhay]$ nc compromise.host.edu 4160
> Login: administrator
>
> Invalid password!!!
> login:
>
>
> An nc to the auth port (113) yields
>
>
> [dhay@ob-1 dhay]$ nc 144.118.217.84 113
>
> 934 , 6667 : USERID : UNIX : bitch
>
>
>
> I'm hoping someone notices the shift from Uppercase
> "L" in login to
> lower case after you fail to login and recognizes it
> as a known
> backdoor? or something similar... does anyone know
> of any canned
> rootkits ( for want of a better term ) that acts in
> the way i've
> described above? I'll paste the output of nmap -sS
> -sU -p 1-65535 below
>
>
> Port State Service
> 99/tcp open metagram
> 113/tcp open auth
> 135/tcp open loc-srv
> 135/udp open loc-srv
> 137/udp open netbios-ns
> 138/udp open netbios-dgm
> 139/tcp open netbios-ssn
> 445/tcp open microsoft-ds
> 445/udp open microsoft-ds
> 500/udp open isakmp
> 1025/tcp open listen
> 1026/udp open unknown
> 4160/tcp open unknown
> 23432/tcp open unknown
> 65531/tcp open unknown
>
>
>
> Cheers
> Danny
> Drexel University
> Network Security Engineer
>
>
>
>
>
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Kevin: "Re: strange account in Win2k"
- In reply to: Daniel Hay: "Compromised Win2000 machine."
- Next in thread: Kit: "RE: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
