Re: Compromised Win2000 machine. - Follow UP
From: Daniel Hay (dhay@drexel.edu)Date: 05/30/02
- Previous message: Rainer Duffner: "Re: AW: strange .ch scan by 195.141.86.145"
- In reply to: H C: "Re: Compromised Win2000 machine."
- Next in thread: Joris De Donder: "Re[2]: Compromised Win2000 machine."
- Next in thread: ghb the irrepressible: "Re: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 May 2002 17:27:41 -0400 From: Daniel Hay <dhay@drexel.edu> To: H C <keydet89@yahoo.com>
OK I managed to sniff the password for the "login" program after
tcpkill'ing the irc connection of the bot several times, in the hope the
"owner" of the bot would login and try to figure out what was happening
and sure enough it only took about 10 minutes and i had the password. I
was able to use it to login the say way the warez pups did. The program
that was listening on port 4160 was called wollf, the program is
available from www.xfocus.org.
From their website "Extended Telnet Services, support file transfers,
support reverse-connect through firewall, you can use a option to start
it as a serivce or a general process."
It seems pretty powerful from what I seen dinking around with it this
afternoon, it allowed the remote user to "export" a cmd.exe shell on any
port you choose, it allowed you to get process listings and screen
listings, kill processes, ftp put and get files from other ftp sites,
telnet from the compromised host to other hosts, view files on the
system rename and delete files etc etc.
After speaking with the user this afternoon I was informed that the
machine did infact have a NULL admin password but they dont use the
admin account so they never noticed the password had been reset. The
warez pups had their junk in 2 hidden directories in
c:\winnt\system32\sys32 and c:\winnt\system32\sysfiles
I had the user zip these directories and send them to me, if anyone
wants to check them out drop me a line, the zip files are the complete
directory and structure minus the 12 gig of movies, porn and games :).
After running ngrep and looking for the login banner "wollf" I managed
to find 3 other dorm machines on campus that had been hit by the same
person using the same password, directory structure and ports so if you
find something you think maybe the wollf program on port 4160 drop me a
line and i'll give you the password because chances are its the same kid.
Cheers
Danny
H C wrote:
>Some additional thoughts on this particular issue...
>
>>...but I thought the advice for a (possibly)
>>compromised box was *not*
>>to run executable programs that resided on that
>>host, as they can't be trusted?
>>
>
>While I definitely recommend burning your tools...even
>the ones shipped w/ NT/2K, including cmd.exe...to a
>CD, to be quite honest, has anyone ever actually seen
>a system w/ a trojaned netstat? Now, I know many
>folks are going to pump their arms into the air...so
>let me clarify...this is a 2K box. Has anyone ever
>seen a trojaned cmd.exe or netstat.exe? Has anyone
>seen netstat.exe on an NT or 2K system "trojaned" so
>as to NOT show certain connects...but otherwise, it
>works fine?
>
>Remember...the Linux/*nix architectures are different
>from that of NT/2K...and XP. I'm not saying that this
>can't be done...I'm simply asking if anyone can show,
>with proof, that this *has* been done? And it doesn't
>have to be just netstat.exe...it can be any other
>native tool. And binding the .exe file using
>SaranWrap or EliteWrap doesn't count, as the basic
>functionality still exists and all network connects
>(netstat) will still be shown...
>
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Rainer Duffner: "Re: AW: strange .ch scan by 195.141.86.145"
- In reply to: H C: "Re: Compromised Win2000 machine."
- Next in thread: Joris De Donder: "Re[2]: Compromised Win2000 machine."
- Next in thread: ghb the irrepressible: "Re: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
