Re: compromised Real Server 8

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 08/29/03

  • Next message: Krueger, Brian: "RE: Port 554 - Quicktime scans, what's up" 
    To: <incidents@securityfocus.com>, "Brian Collins" <listbc@newnanutilities.org>
Date: Fri, 29 Aug 2003 09:51:04 -0700

    since you have fport, i suggest getting "bintext" and viewing the binary loading
    at
    C:\WINNT\system32\spool\drivers\color\1033\TMP\1033\aux\con\nul\COM\_HHROOT_\Sys
    tem\winnt32.exe

    viewing suspected execuutables in this manner goes a long way to determining the
    type of file in question, and often leads ( me anyway ) viri agent, and its
    possible origin.

    i even have bintext ( http://www.foundstone.com/ ) installed as a right click
    option for anyfile,
    as i have done with notepad for over 7 years.

    fport, bintext and UPX ( common compression agent ) should be any windows based
    forensics kit,
    and should be in continual use by the system admin on suspected files.

    Donnie Werner
    http://e2-labs.com

    ----- Original Message -----
    From: "Brian Collins" <listbc@newnanutilities.org>
    To: <incidents@securityfocus.com>
    Sent: Friday, August 29, 2003 6:24 AM
    Subject: compromised Real Server 8

    > I have 2 Real Audio servers, version 8, which have apparently been
    > compromised. The machines were patched up to date from Windows Update, so
    > we're pretty sure it wasn't Msblaster or its variants (though we did have a
    > couple of patched machines still get hit). And it's traffic patterns seem
    > to confirm this. So we think it was possibly the Real Server vulnerability
    > announced recently. (http://www.securityfocus.com/bid/8476)
    >
    > In the meantime, I believe there's a rootkit installed on it, but I'm not
    > sure exactly how to proceed. They've been good to get me training, but I'm
    > about 2 months shy of going to any incident handling and forensics
    > training, so most of what I've learned I've picked up from here and other
    > places in the security community.
    >
    > FWIW, I've run fport and I see 2 things that don't look normal - the
    > executables running from "C:\WINNT\system32\spool\drivers...."
    >
    > Can anyone tell me if they've seen rootkits that use a similar m/o. I
    > haven't put these guys back on the network yet to capture any packets.
    >
    > Thanks for any assistance,
    > Brian Collins
    > Sys Admin
    > Newnan Utilities
    >
    > ******* output of fport ***********
    > Pid Process Port Proto Path
    > 444 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
    > 8 System -> 445 TCP
    > 500 msdtc -> 1025 TCP C:\WINNT\System32\msdtc.exe
    > 856 MSTask -> 1033 TCP C:\WINNT\system32\MSTask.exe
    > 8 System -> 1078 TCP
    > 892 winnt32 -> 1337 TCP
    >
    C:\WINNT\system32\spool\drivers\color\1033\TMP\1033\aux\con\nul\COM\_HHROOT_\Sys
    tem\winnt32.exe
    > 500 msdtc -> 3372 TCP C:\WINNT\System32\msdtc.exe
    > 824 netinfo -> 4899 TCP
    >
    C:\WINNT\system32\spool\drivers\color\1033\TMP\1033\aux\con\nul\COM\_HHROOT_\Sys
    tem\netinfo.exe
    > 972 WinVNC -> 5800 TCP C:\Program
    Files\RealVNC\WinVNC\WinVNC.exe
    > 972 WinVNC -> 5900 TCP C:\Program
    Files\RealVNC\WinVNC\WinVNC.exe
    >
    > 444 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
    > 8 System -> 445 UDP
    > 236 services -> 1026 UDP C:\WINNT\system32\services.exe
    >
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor. Early-bird registration ends September
    6.Visit us: www.blackhat.com
    > ----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Krueger, Brian: "RE: Port 554 - Quicktime scans, what's up"