RE: Compromised Win2000 machine.
From: Kit (kit@smallfoxx.com)Date: 05/28/02
- Previous message: McCammon, Keith: "RE: Security contacts for cnn,time.com,usatoday,and boston globe needed"
- In reply to: Daniel Hay: "Compromised Win2000 machine."
- Next in thread: Don Weber: "RE: Compromised Win2000 machine."
- Reply: Don Weber: "RE: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kit" <kit@smallfoxx.com> To: "Daniel Hay" <dhay@drexel.edu>, <incidents@securityfocus.com> Date: Tue, 28 May 2002 16:48:27 -0500
If I remember correctly, Jini uses 4160. From what I remember, Jini is
basically distributed computing using Java. Don't know why exactly it would
be prompting for a login, but I guess it could be an app of somesort. They
could be using this as a DDoS type of system I guess.
Also, why is it using port 99 and 113? Those seem like odd ports for a
Windows machine to have.
Now, if you're having problems getting in because you don't know the admin
password, with physical access to the box that could obviously be worked
around, but remotely would be a little less easy.
As for what root-kit its a part of, sorry, I'm not that familiar with it.
HTH,
-K
-----Original Message-----
From: Daniel Hay [mailto:dhay@drexel.edu]
Sent: Tuesday, May 28, 2002 3:15 PM
To: incidents@securityfocus.com
Subject: Compromised Win2000 machine.
Hey,
Today i found a windows machine located in our dorms that had
been compromised, but unlike most of the compromised machines i see come
out of the dorms the Admin password was actually set and it was set to
something other than NULL or Administrator. The attacker set up 2
Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact,
they also installed a warez eggdrop bot that connects to the newnet IRC
Network and servs via the #warez-excell channel. The thing that puzzles
me and i've not been able to get any information on it through web
searches and mailing lists so far, on port 4160 there seems to be a
login prompt. When you nc to the port you are presented with the following
[dhay@ob-1 dhay]$ nc compromise.host.edu 4160
Login: administrator
Invalid password!!!
login:
An nc to the auth port (113) yields
[dhay@ob-1 dhay]$ nc 144.118.217.84 113
934 , 6667 : USERID : UNIX : bitch
I'm hoping someone notices the shift from Uppercase "L" in login to
lower case after you fail to login and recognizes it as a known
backdoor? or something similar... does anyone know of any canned
rootkits ( for want of a better term ) that acts in the way i've
described above? I'll paste the output of nmap -sS -sU -p 1-65535 below
Port State Service
99/tcp open metagram
113/tcp open auth
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
445/tcp open microsoft-ds
445/udp open microsoft-ds
500/udp open isakmp
1025/tcp open listen
1026/udp open unknown
4160/tcp open unknown
23432/tcp open unknown
65531/tcp open unknown
Cheers
Danny
Drexel University
Network Security Engineer
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: McCammon, Keith: "RE: Security contacts for cnn,time.com,usatoday,and boston globe needed"
- In reply to: Daniel Hay: "Compromised Win2000 machine."
- Next in thread: Don Weber: "RE: Compromised Win2000 machine."
- Reply: Don Weber: "RE: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
