Re: Compromised Win2000 machine.

From: ghb the irrepressible (ghb@drug.org)
Date: 05/29/02


Date: 29 May 2002 03:42:17 -0000
From: ghb the irrepressible <ghb@drug.org>
To: incidents@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <3CF3E55D.8030702@drexel.edu>

Hello

This post is a perfect example of current script kiddy
trends. If you join any of the larger channels on
irc.newnet.net, irc.evilsync.net, and so forth, you will
see that all of the 'leech fserves' in these channels are
compromised windows machines. (usually .edu's).

I would wager that these groups are hacking win2k boxes on
fast networks en-masse.. using something lame and well
known like the Unicode or HTR exploit (for shame!) or
possibly the recent .ASP exploit.

These groups are compiling their own rootkit/backdoors from
well-documented open source utilities such as DSNX
(www.dataspy.net). The main function of these backdoors, as
you have seen, is to provide remote FTP access to the
compromised host (for uploading more 0day warez and DIVX
movies), run an identd server if required, and connect to a
pre-configured IRC network and channel. The server then
acts as an irc Fserve, allowing anyone in the channel to
queue up files to download.

I would also wager that port 99 is a copy of ncx99.exe -
this was used as the default bindport for a couple of win32
exploits (original iishack?) It is a modified version of
nc.exe configured to spawn a cmd.exe shell on port 99. This
simple backdoor is favored by script kiddies and the like
because it does not require any command line arguments.

These groups often advertise their efforts in the channel
topics on irc.newnet.net - ">100 .edu 100mbit bots! Leech!
Latest releases!' They also advertise "we need couriers,
dumps, carders, rooters (?), coders and rippers - contact
XYZWareZGuy!"

Maybe someone should join these channels, #warez-excell
etc, and scan all the fserve hosts for ports 99 and 4160...
if port 99 is indeed a netcat/cmd.exe backdoor, a script
could be written to mass-patch or disable these IRC bots ;)

They deserve it for being so damn open about their
activites. Warez kids used to have a clue !

i remain

ghb

> Today i found a windows machine located in our
dorms that had
>been compromised, but unlike most of the compromised
machines i see come
>out of the dorms the Admin password was actually set and
it was set to
>something other than NULL or Administrator. The attacker
set up 2
>Serv-U ftpd's on the host on high ports 23432 and 65531 to
be exact,
>they also installed a warez eggdrop bot that connects to
the newnet IRC
>Network and servs via the #warez-excell channel.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Interference in FM radio reception.
    ... If you're going to sell this script, it will need drama, suspense, ... I forgot to mention that the lights were all LED lights and VERY ... calls from customers on one side of town complaining that TV channel 5 ...
    (sci.electronics.repair)
  • [NEWS] Light Vulnerable to Remotely Exploitable Arbitrary Code Execution
    ... J.S. Connell has recently discovered that the IRC script for EPIC4 that J. ... S. maintains is vulnerable to an easy remote attack. ... can convince a user to join a channel whose name contains embedded EPIC4 ...
    (Securiteam)
  • Re: rpm check script problem
    ... Part of the script involves using file descriptors. ... come from $filename, you should have said ... The next read statment is reading from channel 0 so it reads the first ... line of $filename and puts it into the variable rpm. ...
    (Fedora)
  • Net::SSH::W32Perl Script hanging when trying to return data
    ... Subject: Net::SSH::W32Perl Script hanging when trying to return data ... phl3-0021647: Reading configuration data /etc/ssh_config ... Login completed, opening dummy shell channel. ... requesting shell. ...
    (comp.lang.perl.modules)
  • Re: WME 9 video freezing
    ... Are you any/all using the script data channel in your encoders/writers... ...
    (microsoft.public.windowsmedia.encoder)