Re: VPN server

From: karl [x y] (jamescagney90210@excite.com)
Date: 07/30/02


From: "karl [x y]" <jamescagney90210@excite.com>
Date: Tue, 30 Jul 2002 13:41:11 -0400


Yes, that's not too uncommon. I'm not sure why they didn't just use the
TFTP.EXE command that comes on windows 2000, unless your firewall blocks
TFTP, or they wanted to use your computer as an FTP server to host "warez"
files for download. If the latter was the case, you could check your hard
drive for a drastic drop in free disk space.

"Snigdha" <snigdha20@yahoo.com> wrote in message
news:uUIZ0j9NCHA.1352@tkmsftngp11...
> I found out there is a App name FTPasp installed in my test server by the
> hacker.
> They must have used this app to upload exes like sfind.exe. And then used
> IIS to run
> those files.
> SN
>
> "karl [x y]" <jamescagney90210@excite.com> wrote in message
> news:eQJ2L9wNCHA.2340@tkmsftngp08...
> > Looks possible. I'm guessing this is not the start of the intrusion,
but
> > the middle. The source of the intrusion might be earlier in the logs
[or
> it
> > might have been through another avenue]. I'm guessing they would have
> > needed to download the sfind program from an FTP server under their
> control
> > to your computer, possibly using a TFTP command. The FTP server IP
> address
> > might or might not be a clue to their identity [it is possibly a machine
> > that they compromised, but the ISP that owns that IP address would
> probably
> > be interested to know that the machine was compromised, and might be
able
> to
> > help you figure out the IP address being used to control the FTP server.
> >
> > "Snigdha" <snigdha20@yahoo.com> wrote in message
> > news:#ihLHSwNCHA.1772@tkmsftngp09...
> > > Thanks Karl,
> > > Look like they came through IIS System.
> > > The log file shows looks like;
> > > #Software: Microsoft Internet Information Services 5.0
> > > #Version: 1.0
> > > #Date: 2002-07-26 00:03:10
> > > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
> > > cs-uri-query sc-status cs(User-Agent)
> > > 2002-07-26 00:03:10 218.2.131.246 - 142.14.24.230 80 GET
> /scripts/cmd1.exe
> > > /c+type+sfind.txt 502
> > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705)
> > > 2002-07-26 02:04:17 63.198.147.91 - 142.14.24.230 80 80 GET
> > > /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 200
> > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
> > > 2002-07-26 02:04:32 63.198.147.91 - 142.14.24.230 80 GET
> > > /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\inetpub\scripts
200
> > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
> > > 2002-07-26 02:04:40 63.198.147.91 - 142.14.24.230 80 GET
> > > /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\inetpub\scripts
200
> > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
> > > 2002-07-26 02:04:51 63.198.147.91 - 142.14.24.230 80 GET
> > > /scripts/..%5c..%5cwinnt/system32/cmd.exe
> > > /c+type+c:\inetpub\scripts\sfind.txt 502
> > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)
> > >
> > >
> > > "karl [x y]" <jamescagney90210@excite.com> wrote in message
> > > news:#SXhQ8vNCHA.2420@tkmsftngp11...
> > > > "Snigdha" <snigdha20@yahoo.com> wrote in message
> > > > news:e3tmGrvNCHA.2340@tkmsftngp12...
> > > > > I am just testing installing a test VPN server in win2k machine. I
> > left
> > > > the
> > > > > server running this weekend. The server got hacked. My ISP has
> taken
> > my
> > > > > machine off the network. When I logon to the machine I found out
it
> is
> > > > > running cmd.exe, sfind.exe, 1.tmp, irc.exe in my task manager
list.
> > Is
> > > > > there any info on there on this proccesses?
> > > >
> > > > Yes, nowadays you really should not be putting unsecured systems
onto
> > the
> > > > internet, even "just a test machine," as it could be a stepping
stone
> > for
> > > a
> > > > hacker to get past your firewall and onto your regular network.
Other
> > > > machines on your network could be compromised.
> > > >
> > > > It's hard to tell what a file does and what a hacker did with it
from
> a
> > > file
> > > > name. Running a trojan detector such as www.gfi.com or
> > www.pestpatrol.com
> > > > might tell you about some of those files. If this machine was
> infected
> > > with
> > > > a worm, installing and running an antivirus program might help as
> well.
> > > > Installing Sygate firewall and running fprot from foundstone.com
might
> > > also
> > > > let you see what ports are being used to communicate, which is a
clue.
> > I
> > > > would also check your IIS web and FTP server and firewall/router
logs,
> > > > assuming logging is enabled. [check for any line containing .EXE or
%
> > and
> > > > that also contains a 200 or 502 result code]. Doing this could tell
> you
> > > > exactly what commands were used to take control of the machine.
> > > >
> > > > If one of those files is a renamed nc.exe aka netcat, that file has
a
> > lot
> > > of
> > > > different purposes. cmd.exe might or might not be a dos
> prompt/command
> > > > shell that could allow the hacker to remotely execute commands on
your
> > > > system, possibly using URLs sent to IIS web services that cause
buffer
> > > > overflows. irc.exe might or might not be a file that makes your
> system
> > > > connect as a zombie to an IRC newsgroup and advertize its presence,
> > > waiting
> > > > for a hacker to take control of it through the IRC channel. 1.tmp
> might
> > > or
> > > > might not be a sniffer program collecting passwords or the sniifer
log
> > > file
> > > > itself, netcat, an ftp program, etc. sfind.exe might or might not
be
> a
> > > > program [possibly from foundstone.com] that manipulates files that
are
> > > > hidden from you by using file streams [e.g. a file is named
> > > > boot.ini|hackertool.exe so that without a special tool, all you see
is
> > the
> > > > boot.ini file... in other words, there might be other hacker files
on
> > your
> > > > system]. Using sfind from foundstone.com or streams.exe from
> > > > sysinternals.com might help you find these files.
> > > > http://lists.jammed.com/forensics/2001/12/0010.html
> > > >
> > > > The only way to completely be sure this system is clean is to format
> and
> > > > reinstall windows. This is because you might miss a hidden login ID
> or
> > a
> > > > back door that would let the hacker back in. However, before you do
> > this,
> > > > you probably want to determine how the intrusion took place, as this
> > will
> > > > help you guard against the same thing happening next time, and might
> > help
> > > > you determine whether other machines have been compromised.
> > > >
> > > > To secure your system, install all microsoft update patches,
> IISlockdown
> > > > including URLscan, and perform the securing windows / IIS checklists
> > which
> > > > are all found at www.microsoft.com/security BEFORE making the server
> > > visible
> > > > from the internet. Antivirus program that downloads updates daily,
> > > firewall
> > > > hardware and software [such as sygate which is free for
non-commercial
> > use
> > > > and Netgear which starts at just $70 US], a file change monitor like
> > > > Languard file integrity checker from www.gfi.com are all good ideas.
> > > >
> > > > The book Incident Response is a good introduction to how to deal
with
> > and
> > > > recognize incidents like this, and Hacking Exposed 3rd edition is a
> good
> > > > overview of how to secure your system and how systems are
compromised.
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages