Re: svchost exploit on ports 80, 443 &21

From: Alastair Smith (asmith_at_c-it.co.uk)
Date: 04/27/04


Date: 27 Apr 2004 13:34:21 -0700

This problem has generated a lot of interest, yet there still appears
to be no other info on this problem I can find either, I have had
another customer system hacked this week with a similar instance of
this and I am now determined to figure out how this got on to the
server - fortunately it was dead easy to fix after dealing with it the
first time!

This time it was on a Windows 2000 server running SP4 and McAfee, it's
only visibility on the web is via port 80 and FTP forwarded via a
router and I'm pretty sure a virus can be ruled out now, judging from
what many people have said the latest updates don't always help that
much apart from perhaps MS04-011, although I'd like to see this
running for a longer duration unhacked before I can be certain.

The hack leaves several source files on the server in the
'c:\winnt\system32\wbem' folder and isn't consistent as to what
executables it uses for the illegal services, possibly linked to
hackers updating this with newer revisions - this time it was in
'tskman.exe', it had also left a number of files such as a .dll under
the same filename, along with a carun.ocx file that started off with
jumbled text yet all lines started with a ; - after drilling down
through the file it had some valid lines at the bottom...

This hack uses the ServU ftp program and places it in this hidden
folder, both instances of this hack had a readme.txt file with several
clues as to what files had been left. From what I have found on
various hacking websites, the majority of which are Russian, I am
almost certain this problem is an exploit of various open ports, it
hints that it is sometimes there to hijack bandwidth for warez servers
but I could be wrong.

I plan to continue looking into this and will try and post an update
when I have more info.

Regards
Alastair