Re: svchost exploit on ports 80, 443 &21

From: Alastair Smith (asmith_at_c-it.co.uk)
Date: 04/27/04


Date: 27 Apr 2004 13:34:21 -0700

This problem has generated a lot of interest, yet there still appears
to be no other info on this problem I can find either, I have had
another customer system hacked this week with a similar instance of
this and I am now determined to figure out how this got on to the
server - fortunately it was dead easy to fix after dealing with it the
first time!

This time it was on a Windows 2000 server running SP4 and McAfee, it's
only visibility on the web is via port 80 and FTP forwarded via a
router and I'm pretty sure a virus can be ruled out now, judging from
what many people have said the latest updates don't always help that
much apart from perhaps MS04-011, although I'd like to see this
running for a longer duration unhacked before I can be certain.

The hack leaves several source files on the server in the
'c:\winnt\system32\wbem' folder and isn't consistent as to what
executables it uses for the illegal services, possibly linked to
hackers updating this with newer revisions - this time it was in
'tskman.exe', it had also left a number of files such as a .dll under
the same filename, along with a carun.ocx file that started off with
jumbled text yet all lines started with a ; - after drilling down
through the file it had some valid lines at the bottom...

This hack uses the ServU ftp program and places it in this hidden
folder, both instances of this hack had a readme.txt file with several
clues as to what files had been left. From what I have found on
various hacking websites, the majority of which are Russian, I am
almost certain this problem is an exploit of various open ports, it
hints that it is sometimes there to hijack bandwidth for warez servers
but I could be wrong.

I plan to continue looking into this and will try and post an update
when I have more info.

Regards
Alastair



Relevant Pages

  • Re: *Possible Solution* Office 2007 Cannot Save As
    ... I had no pending Windows updates on these servers. ... latest Windows XP updates today and then I will start on server updates. ... I have checked all my group policies, offline files, folder redirection etc. ... I have noticed you can go to the network location right click the select New ...
    (microsoft.public.office.misc)
  • RE: strange exploit in Win2K server
    ... I found the hack... ... Basically by creating the "com1" folder it allows you to create nested ... I hope microsoft fixes this "com1" bug at some point. ... strange exploit in Win2K server ...
    (Focus-Microsoft)
  • Re: Office 2007 Cannot Save As
    ... latest Windows XP updates today and then I will start on server updates. ... I have checked all my group policies, offline files, folder redirection etc. ... I have noticed you can go to the network location right click the select New ...
    (microsoft.public.office.misc)
  • "Close Program" Problem?
    ... Server -> SBS 2000, with all the updates ... Client -> Windows 2000 Professional SP 4, with all the updates. ... Closing Program - ... 2] Sometimes on a folder that is on the server, ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Pull Files down to PDA
    ... > You'd share a folder, just as if you were going to use it from another ... if you have a share on a server FARSIDE ... >> how do i share FileIO across connection from Device to Server file ... >>> shared folder on the server with the updates, ...
    (microsoft.public.dotnet.framework.compactframework)