Re: looking for help

• Previous message: Ben Nelson: "Large increase in TCP/554 (rtsp) scans"
• In reply to: tina helbig: "Re: looking for help"
• Next in thread: Gilmore, Corey (DPC): "RE: looking for help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 5 Nov 2003 10:49:01 -0800 (PST)
To: incidents@securityfocus.com

Tina...

Comments/questions inline:
 
> I too have had a similar incident on one of our
> Win2k servers but have not been able to define
> exactly what went on.
>
> We had a report of the following showing up in the
> logs -

Given the logs, did you ever run fport or openports on
the system to determine which process was using which
port?

> The following was found on this system.
>
> WinLog
> This executable was found to be running and I would
> suspect that it is not a valid winlog.exe file. This
> is usually placed on the system for observing
> sessions (keystroke logger?).

What exactly would constitute a valid winlog.exe file?

> EventLog
> This executable was found to be running and I would
> suspect that it is not a valid eventlog.exe file. I
> believe that it was there as an event log modifier
> so that certain events will not appear in the logs.

What makes you believe this? Is there any evidence to
suggest that this is the case? I ask b/c as far as
I'm aware, there's only one available executable for
removing arbitrary entries from the Event Log, and
it's very unstable, and can render a system useless.

Also, what constitutes a valid eventlog.exe file?
I've searched both my home and work Win2K systems, and
don't find any evidence of either a winlog.exe or
eventlog.exe file. I know that the Event Logs are
viewed using EventVwr.exe...the Event Viewer.

> Fport
> This file was on the server and is sometimes
> installed with the WinLog.exe and EventLog.exe. In
> the case of a rogue fport.exe its usual
> functionality is to hide the rogue ports that are
> open.

Interesting...your "rogue" fport.exe sounds like a
partial rootkit. Were you able to demonstrate or
prove that it was hiding open "rogue" ports? If so,
how? From your post, it doesn't appear that you ran
netstat or fport/openports on the local system.
 
> r_server.exe possibly a RAT (Remote Administration
> Trojan). As Symantec AntiVirus did not find any
> viruses on the system, I can only assume that it was
> an installed RAT as apposed to a RAT dropped by a
> virus.

Symantec is capable of detection a wide variety (but
not all) RATs.

> The installation batch file for this process
> is named lolipop.bat which carries out a silent
> install.

Do you have a copy of the .bat file?

> On my initial investigation the r_server
> process was not running and did not show up in the
> open ports listing.

Was this initial investigation done via Task Manager
and the netstat command, or via some other method?

> After a reboot however it
> appeared as a running process listening on TCP port
> 8150. There were numerous references to it in the
> registry.

Where?

> Registry Entries (Spyware?)
> Under the registry sub-tree [\HKEY_USERS\*SID
> Admin*\Software\Microsoft\Internet Explorer] the
> following was found. It may be that there is or has
> been a spyware program on the server as there were
> references to “Explorer Bars”.
>
> nmap reported the following open ports -
>
> SMTP mail server on port 25.
> DNS Server on port 53.
> IIS Web Server on port 80.
> LDAP Server on port 389.
> IIS Secure Web Server on port 443.
> ncacn_http on port 593
> Terminal Services port 3389
> VNC Web Server on port 5800.
> IIS Web Server on port 5838.
> WinVNC http on port 5900
> VNC protocol on port 5900
> Serv-U ftpd on port 8000

Was any of this confirmed w/ fport/openports?

Do you have copies of the files you mentioned?

Thanks,

Harlan

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

• Previous message: Ben Nelson: "Large increase in TCP/554 (rtsp) scans"
• In reply to: tina helbig: "Re: looking for help"
• Next in thread: Gilmore, Corey (DPC): "RE: looking for help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]