RE: Compromised Win2000 machine.

From: Don Weber (Don@AirLink.com)
Date: 05/29/02 

From: "Don Weber" <Don@AirLink.com>
To: "Kit" <kit@smallfoxx.com>, "Daniel Hay" <dhay@drexel.edu>, <incidents@securityfocus.com>
Date: Tue, 28 May 2002 15:56:46 -0700

look under services, find all remote procedure calls, look at the properties
of each one, specifically notating the actual path to the called program,
liekly you'll find one of those do not go to the winnt directory, stop that
service. You may want to go thru all of your services that are active, and
look at the program name and location of the program to make sure you
recognize all of them, the ones you dont, take a little further look into.

Don

-----Original Message-----
From: Kit [mailto:kit@smallfoxx.com]
Sent: Tuesday, May 28, 2002 2:48 PM
To: Daniel Hay; incidents@securityfocus.com
Subject: RE: Compromised Win2000 machine.

If I remember correctly, Jini uses 4160. From what I remember, Jini is
basically distributed computing using Java. Don't know why exactly it would
be prompting for a login, but I guess it could be an app of somesort. They
could be using this as a DDoS type of system I guess.

Also, why is it using port 99 and 113? Those seem like odd ports for a
Windows machine to have.

Now, if you're having problems getting in because you don't know the admin
password, with physical access to the box that could obviously be worked
around, but remotely would be a little less easy.

As for what root-kit its a part of, sorry, I'm not that familiar with it.

HTH,
-K

-----Original Message-----
From: Daniel Hay [mailto:dhay@drexel.edu]
Sent: Tuesday, May 28, 2002 3:15 PM
To: incidents@securityfocus.com
Subject: Compromised Win2000 machine.

Hey,
          Today i found a windows machine located in our dorms that had
been compromised, but unlike most of the compromised machines i see come
out of the dorms the Admin password was actually set and it was set to
something other than NULL or Administrator. The attacker set up 2
Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact,
they also installed a warez eggdrop bot that connects to the newnet IRC
Network and servs via the #warez-excell channel. The thing that puzzles
me and i've not been able to get any information on it through web
searches and mailing lists so far, on port 4160 there seems to be a
login prompt. When you nc to the port you are presented with the following

[dhay@ob-1 dhay]$ nc compromise.host.edu 4160
Login: administrator

Invalid password!!!
login:

An nc to the auth port (113) yields

 [dhay@ob-1 dhay]$ nc 144.118.217.84 113

934 , 6667 : USERID : UNIX : bitch

I'm hoping someone notices the shift from Uppercase "L" in login to
lower case after you fail to login and recognizes it as a known
backdoor? or something similar... does anyone know of any canned
rootkits ( for want of a better term ) that acts in the way i've
described above? I'll paste the output of nmap -sS -sU -p 1-65535 below

Port State Service
99/tcp open metagram
113/tcp open auth
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
445/tcp open microsoft-ds
445/udp open microsoft-ds
500/udp open isakmp
1025/tcp open listen
1026/udp open unknown
4160/tcp open unknown
23432/tcp open unknown
65531/tcp open unknown

Cheers
Danny
Drexel University
Network Security Engineer

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Incoming passengers to the UK
    ... of the northeastern European ports, or even from Hamburg or Bremen. ... it was more of a freight port & rarely took migrants to the west. ... passenger lists) has now also been done & is available through Ancestry.com. ... The only information these documents have that the US manifests often ...
    (soc.genealogy.jewish)
  • Re: AIX is slow to login on port 22 and port 23
    ... CPU TID TSLOT PID PSLOT PROC_NAME ... AIX is slow to login on port 22 and port 23 ...
    (AIX-L)
  • Re: SQL2005: Cannot connect error 11001
    ... The famous Windows Firewall (turned on my Server from which I'm trying to ... Exception Details: System.Data.SqlClient.SqlException: Login failed for user ... Try starting the SQL Server ... if you changed the port ...
    (microsoft.public.sqlserver.connect)
  • Re: Port 25 and Static/Dynamic IP for Listserve SW
    ... etc. and these ISPs are in effect listening in? ... all that port 25 and dynamic/static ip stuff is moot. ... Either I use Majordomo or Mailman "as is" and I use them for PRIVATE lists, ... Port 25 and Static/Dynamic IP for Listserve SW ...
    (Ubuntu)
  • RE: validation list
    ... The easiest would be to just overwrite the Excel database, ... of ports, and a list of docks for each port. ... vertical lists you name as the specific port it refers to. ...
    (microsoft.public.excel.misc)