Re: FTP and Win2K changed security policy
From: Johan Augustsson (johan.augustsson@adm.gu.se)
Date: 11/20/02
- Previous message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
- In reply to: Bojan Zdrnja: "FTP and Win2K changed security policy"
- Next in thread: Joswiak, Johnny G.: "RE: FTP and Win2K changed security policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Nov 2002 08:29:17 +0100 From: Johan Augustsson <johan.augustsson@adm.gu.se> To: incidents@securityfocus.com
On Mon, Nov 18, 2002 at 12:37:05PM +0100, Bojan Zdrnja wrote:
>
> I wonder if anyone saw rootkit with this or this was a manual work.
> FTP server was empty, only one 1MB file named '1' was in it (probably to
> test server's speed).
>
> Also, I'm not sure how they got in. Machine is Windows 2000 Professional and
> had SP2 applied on it, but I'm afraid user had weak local administrator
> password (I don't take care of those machines, I was just there to check his
> problems).
I've seen variants of those .bat-files on a huge number of compromised
NT/2000 systems. As far as I know it's just a bunch of scripts that the
intruder runs manually after downloading them from either his own box
(stupid) or another compromised box.
So, how did he get in? I would bet my money on bad or non-existing
passwords. Badly configured MS-SQL-servers are another often used way in
but maybe not in this case. There is a very powerfull tool written by a
Chinese that scans a class B network and collect null passwords or
passwords that are the same as the account's name in less then 40 minutes.
Since this is a win32 executable it's often found on the compromised
systems. It can also be used with a dictionary.
Another tool that's often found on those systems is Netcat. It may be
used to start a commandshell session to a specific IP-address or to bind
cmd.exe to a port that the intruder can us as a backdoor.
The tricky part is to find all the binaries. It was a long time since
the intruder start to rename the Serv-U FTP binaries to something more
legal. Fport or Active Ports can help you out there. It's like lsof -i for
Windows.
If you really wants to know how many of your boxes that are compromised
like this I recomend using Snort (www.snort.org) and the following
rules.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"USER"; content: "USER"; flags: A+; dsize: <30; depth: 4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PASS"; content: "PASS"; flags: A+; dsize: <30; depth: 4;)
You might considering a couple of pass rules above those two rules so
you don't get all the legal ftp-logins to port 21 and other legal ports.
Bear in mind that the rules above might give you a minor shock. If you
have a class B net and don't filter TCP 135, 139 and 445 you'll probably
have a couple of compromised boxes every day.
Happy hunting
Johan Augustsson
Göteborg University
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Russell Harding: "Re: Proxy server hit... Any ideas?"
- Previous message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
- In reply to: Bojan Zdrnja: "FTP and Win2K changed security policy"
- Next in thread: Joswiak, Johnny G.: "RE: FTP and Win2K changed security policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
