TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid
From: Netw3 Security Research (nospamnetw3@premis.lod.com)Date: 08/24/02
- Previous message: Jackie: "What's going on here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Aug 2002 04:19:47 -0500 To: incidents@securityfocus.com From: Netw3 Security Research <nospamnetw3@premis.lod.com>
Greetings. This is a basic analysis and a few questions-
I've come across a system that appears to have been compromised. It is a
Win2K advanced server, and during analysis I found that the DameWare remote
control agent version 3.51.1.0 has been installed, which allows remote GUI
access by an unauthorized party. The DameWare application is running as a
service and listens on TCP port 6129 by default. The attacker has installed
the Dameware server application in the default location
C:\WINNT\SYSTEM32\DWRCS.EXE and DWRCK.DLL. The owner of the executable is
the Administrators group. DWRCS.EXE can be used through command line to
install, uninstall, or change the listening port, so any exploit that would
have allowed the attacker to execute any command line could have been used.
I downloaded the most recent version of the dameware mini remote control
from their website (dameware.com) and this installation created an icon in
the system tray and introduced several files into the WINNT/System32
directory, as opposed to the two files from version 3.51.1.0. Perhaps the
attacker was unable to perform the full install, or perhaps they had
cleaned their tracks and had forgotten to remove these two associated files.
My attempts to use a current DameWare client to connect to the agent
previously installed by the attacker prompted for various types of
authentication, leading me to believe that an account had been compromised,
either due to poor password choice or from some other method, and that this
account was used to connect to the DameWare agent. However, the agent could
have been a hacked version that does not require authentication, or could
contain some other type of backdoor. As a matter of fact, the server
antivirus app (Netshield) reported the presence of the Backdoor-RQ trojan,
located at C:\WINNT\System32\SRV1984.exe. The file no longer was present on
the system, but I have found a few references to SRV1984 on some
non-english web sites, particuarly some sites in China.
http://hongniao.diy.163.com/download/houmen.htm
http://www.sandflee.net/liu/liuyan/index.asp?user=sandflee&page=4
NAI says this about the RQ trojan:
"BackDoor-RQ is a patched copy of the Netcat v1.10 NT application/utility.
This patch causes Netcat to act as a remote console server on port 80 and
suppresses console messages on the server."
and
"As an isolated program, this trojan must be run manually on the targeted
system. However, BackDoor-RQ is known to be used in conjunction with other
applications and utilities by an attacker. Other programs or trojans may be
used to execute and suppress the window mentioned as a symptom of this
trojan. "
What other applications and utilities are they referring to here? Does
anyone have any more detailed information?
The system was already running IIS on port 80 - of course, the attacker
could have disabled it for a while, then set up the RQ trojan in it's place
and then restarted IIS. I also came across two unusual instances of
"IIS.EXE" running on high TCP ports (as seen by fport)
3380 iis -> 15666 TCP C:\WINNT\SYSTEM32\iis.exe
3380 iis -> 17890 TCP C:\WINNT\SYSTEM32\iis.exe
Telnet to port 17890 displays the contents of the
c:\winnt\system32\login.txt file, with connection specific variables
displayed:
220-Hacked By Seminarian
220-=======================================================
220- Hacked By Seminarian For Team Liquid
220-=======================================================
220-Your IP : <sanitized>
220-=======================================================
220-Kb Received : 0 kb
220-Kb Send : 0 kb
220-=======================================================
220-Average Speed : 0.000 KB/sec
220-Current Speed : 0.000 KB/sec
220-Users Connected : 1
220-Users since ServerStart : 1
220-=======================================================
220-Free space : 2239.41MB MB
220-=======================================================
220-Server Uptime : 0 Days, 10 Hours
220 =======================================================
Typing HELP reveals the following (looks like an FTP server of sorts)
214- The following commands are recognized (* => unimplemented).
USER PORT RETR ALLO DELE SITE XMKD CDUP
PASS PASV STOR REST CWD STAT RMD XCUP
ACCT TYPE APPE RNFR XCWD HELP XRMD STOU
REIN STRU SMNT RNTO LIST NOOP PWD SIZE
QUIT MODE SYST ABOR NLST MKD XPWD MDTM
The site was running many unnecessary services, and was behind on it's
patches, so there are many ways that an attacker could gain access, however
I was unable to determine the exact course of the attack with all of my
usual methods. More analysis is pending.
If anyone has any further information, or if you have seen this specific
attack or EXE before, or know anything about Team Liquid, please leave a
reply or send an email to my address -nospam above.
Curt Wilson
Netw3 Security Research
www.netw3.com
netw3@premis.lod.c0m
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jackie: "What's going on here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
