Re: Security Problem...

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/11/03 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 10 Feb 2003 19:48:40 -0500

Your computer is listening on TCP 80. My guess is that you have an IIS web
site instance that you're not aware of, and that possibly the logs are being
written to a different folder or location [or not at all]. Although if your
firewall is really blocking TCP 80, then maybe this isn't the case, or maybe
the FTP software was installed when you temporarily weren't running a
firewall or something.

If this was a compromise that came through IIS web services, installing
URLScan would probably block this stuff from ever happening and would
probably have let you see the original infection [though there are other
things you should do besides just install URLScan and install patches to
secure a server, all mentioned in the links I gave you].

Your computer is listening to a lot of ports, some of them may be
suspicious. Under XP, you can get more information by running NETSTAT -ANO
to look and see which executable is listening on each port. In Windows
2000, you have to download and run Vision for free from
www.foundstone.com/knowledge to get the same information. I believe XP to
be as vulnerable as 2000 to this sort of thing, though this sort of hacking
is becoming way more common lately.

"Greg" <greg_68@hotmail.com> wrote in message
news:O6WEXKT0CHA.1888@TK2MSFTNGP09...
> The text file that I found on my system is named 1.txt and I found it in
my
> c:\temp\ directory. This has happened before on other installations of
> Windows XP that I've done locally and I had found the text (named
somethings
> else at the time) in c:\ and d:\.
>
> I checked the IIS web server and FTP server logs and the only IP address
is
> mine. I have them both set to show full details (I set that a long time
> ago).
>
> As far as my Firewall logs, here's what's listed under connections:
>
> Local Service Port Remote IP Address Remote Service Port
> 1027 localhost 4323,4321,4301
> (and other 42xx and 43xx)
> 4328 (pop3 server) 110
>
> those repeat. Under the firewall logs it shows a lot of:
>
> TCP non-syn/non-ack packet on invalid connection. Packet has been dropped
> Source IP address: 66.201.243.169
> Destination IP address: desktop(68.2.207.254)
> TCP Source Port: http(80)
> TCP Destination Port: 9488
> TCP Message Flags: 0x00000011
>
> all from the same IP address.
>
> Here's what "netstat -an | find /i "Listen" (as recommended by another
> persons post) shows (I added 90 and 91 for the IIS web server, although I
> only need one):
>
> Proto Local Address Foreign Address State
> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:90 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:91 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1415 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:3744 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:4293 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:4294 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
> TCP 68.2.207.254:25 0.0.0.0:0 LISTENING
> TCP 68.2.207.254:139 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING
> TCP 192.168.178.1:139 0.0.0.0:0 LISTENING
> TCP 192.168.255.1:139 0.0.0.0:0 LISTENING
>
> here's established:
> TCP 68.2.207.254:4294 207.46.248.16:119 ESTABLISHED
> TCP 127.0.0.1:1027 127.0.0.1:4293 ESTABLISHED
> TCP 127.0.0.1:4293 127.0.0.1:1027 ESTABLISHED
>
> Applications I have open are, Outlook, Outlook Express, and Borland
Delphi.
> I also have Microsoft SQL Server 2000 developer installed and MySQL 4.
Both
> services are currently disabled. And PostCast SMTP Server. And then of
> course, Norton Personal Firewall and Norton Anti-Virus.
>
> Thanks for the links, I'll take a look at them and make changes.
>
> The odd thing about this is that it's happened to me over the last year or
> so about 4 times. It didn't happen when I had a Linksys Router hooked up.
> I no longer have it, so maybe I should just buy a new router and format.
I
> also never had this problem with Windows 2000 Professional. Only since
> installing Windows XP. Maybe it's just a coincidence.
>
> I was really hoping to find out exactly how this is happening to help
> prevent it in the future and also warn others that I know about it.
>
> "x y, mvp" <levinson_k@despammed.com> wrote in message
> news:O$7YGdS0CHA.1624@TK2MSFTNGP10...
> > You could probably tell us... where are you seeing those requests to
> > download those files? Which log? Is there anything in your IIS web
> server
> > logs? What are you seeing in your firewall logs that is INCOMING to
your
> > computer, and what are the ports being used?
> >
> > A very typical scenario is for a hacker to use an IIS web service
> > vulnerability where specially crafted URL requests are sent to the web
> > server that cause your computer to try to download an FTP server,
usually
> > Serv-U FTP. There are probably other vectors of entry besides just IIS
> www.
> > If this is the case, you'll see all this on your web server logs,
assuming
> > logging is enabled.
> >
> > Besides enabling logging and monitoring the logs on your firewall and
IIS
> > services, the fix is to completely harden your computer like so:
> >
> > http://securityadmin.info/faq.htm#hacked
> > http://securityadmin.info/faq.htm#ftpfolder
> > http://securityadmin.info/faq.htm#iislogs2
> > http://securityadmin.info/faq.htm#iislogs
> > http://securityadmin.info/faq.htm#re-secure
> > http://securityadmin.info/faq.htm#harden
> >
> > Once hackers are able to remotely execute code on your computer, as it
> seems
> > they are currently able to do, you have no clear way to be 100% certain
> that
> > there are not other back doors installed to allow continued remote
access
> to
> > your system. Your choices are to format and reinstall everything
> properly,
> > or to try your best to remove what you can find and hope that's enough.
> > Either choice might be acceptable depending on your need for security.
> > Further instructions:
> >
> >
> >
> > "Greg" <greg_68@hotmail.com> wrote in message
> > news:Or6XEDJ0CHA.1812@TK2MSFTNGP11...
> > > I know those are the tools that would be used for making an FTP
server.
> > > What I want to know is how the text file is getting sent to me. Is it
> > > getting sent through a flaw in IIS, or Windows, or what? The firewall
> > > doesn't seem to know anything about it.
> > >
> > > I don't have an FTP server running (FTP with IIS is installed; but
> > disabled
> > > unless I use it to transfer files). That IP address isn't mine.
I've
> > > experienced this with ZoneAlarm, Norton Personal Firewall, and
> Microsoft's
> > > built-in firewall. I do have many years of network experience and
> > normally
> > > use hardware firewalls but this is my home computer so I wasn't going
to
> > buy
> > > one.
> > >
> > >
> > > > FTP is running at open 68.104.136.245 1415
> > > > your machine is the ftp server the ftp you blocked are the tools
you'd
> > use
> > > > if you wanted to ftp to another machine.
> > > >
> > > > Better get some network experience or you'll get hacked fast.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Quantcast