FTP and Win2K changed security policy

From: Bojan Zdrnja (Bojan.Zdrnja@FER.hr)
Date: 11/18/02

  • Next message: Rob Shein: "RE: Fraudulent use of ebay's name"
    From: "Bojan Zdrnja" <Bojan.Zdrnja@FER.hr>
    To: <incidents@securityfocus.com>
    Date: Mon, 18 Nov 2002 12:37:05 +0100
    
    

    I'm sending this 2nd time because I didn't receive any message neither from
    moderator or on ML.

    Hi everyone.

    Today one of employees on my university asked me to check his machine as he
    couldn't use Netmeeting anymore for remote desktop sharing .
    Some people here use Netmeeting to easy control their machines from home (I
    know I should have banned that before on lower level, but ...).
    After I couldn't find his machine on our domain (and he was added) I went to
    his computer and saw that he hasn't got Sophos started at all. Every time I
    tried to start Sophos it would just hang. Things became interesting at that
    point (for me, not him :).

    After examining the machine I saw one suspicious process running, under the
    name service.exe. This process was listening on port 62345 and it was
    actually a Serv-U FTP server in leech mode (just like one we discussed on
    this ML few days before).
    FTP server was installed in directory c:\winnt\system\tools.
    That directory also contained one very interesting subdirectory named win.
    In this directory I found a program named win.exe and few .bat files (named
    secure.bat and secure1.bat), as well as cygwin dll's and so on. It appears
    that this program is used to set whatever security policy he wanted on the
    machine, which you can see in secure.bat file. Obviously, his policy didn't
    work quite well as he also removed possibility for user to log-on over
    Netmeeting (that's why user called me at the first point).

    I wonder if anyone saw rootkit with this or this was a manual work.
    FTP server was empty, only one 1MB file named '1' was in it (probably to
    test server's speed).

    Also, I'm not sure how they got in. Machine is Windows 2000 Professional and
    had SP2 applied on it, but I'm afraid user had weak local administrator
    password (I don't take care of those machines, I was just there to check his
    problems).

    If needed, I have those directories in a zip archive so I can send it to
    someone if you need it.

    Best regards,

    Bojan Zdrnja

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com