Educause Security Discussion mailing list archives
Re: Eggdrop Backdoors on TCP 145 and 2583
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Sat, 17 Jan 2004 15:21:44 -0500
Cam - We haven't seen that particular MO (but will be on the lookout for it now). What we did see in the past week was a compromise of a good number of PCs which had weak or blank passwords for administrative level accounts. The specifics were: They were initially running a rogue Serv-U FTP service at TCP port 8079 as well as an IRC proxy/bot. In addition they were connected to an IRC server on the Internet ( 63.168.242.220 which has a PTR rec to canonical DNS name "220.kireircd-biteme" which is not a real FQDN...). When we blocked access to TCP port 8079 inbound as well as access to IP address 63.168.242.220 ( "220.kireircd-biteme" ) we noticed that the compromised "zombie" PCs switched over to running the Serv-U FTP server at TCP port 81 instead and connected to a different IRC server to receive their commands ( IP address 209.126.201.99 DNS canonical name desire.of.hotgirlz.org which also has a CNAME I won't list here or this message won't make it through a lot of message filters). We primarily found this unnamed "worm/trojan" infection affecting NT 4.0 Workstation and Windows 2000 Professional PCs though there may have been an XP Pro PC (we are still checking). We caught on tape the PCs infected attempting to connect to TCP port 445 (microsoft-ds) on other PCs on our network and login as administrator using a number of guessed passwords -- and therefore believe this is the primary vector of infection. On compromised machines we found the following files associated with the attack: C:\WINNT\system32\svchost16.dll (config file for DCC?) C:\WINNT\system32\svchost32.dll (config file for DCC?) C:\WINNT\system\lsass.exe (Serv-U FTP server) C:\WINNT\system\dllcache.dll (PID?) C:\WINNT\system\svchost.exe (IRC proxy/bot server) C:\WINNT\system\sys32.dll (unknown) C:\WINNT\system\sys32.dll.bkup (unknown) C:\WINNT\system\winlogon.exe (FireDaemon utility - see http://www.firedaemon.com/ ) C:\winnt\system32\svchost.dat (DCC welcome message) C:\winnt\system32\svchost.dll (Cygwin DLL) The bogus winlogon.exe was a utility named firedaemon which was used to run processes as two bogus 'services' (which we believe were used in breaking into add'l PCs on the network and propagating): WIN2K (Cryptographic Services Helper) SETUP32 (Windows Time Helper) Norton, McAfee, etc. had no record of this worm / trojan combo. David Snyder, Matt Regan, Allison MacFarlan and several others at Yale worked to assemble the above information. - H. Morrow Long Director - Information Security Office Yale University, ITS On Jan 17, 2004, at 12:54 PM, Cam Beasley, ISO wrote:
Anyone found Eggdrop backdoors listening on TCP 145 or 2583 in the past 3-4 days? TCP 145: [Login:] TCP 2583: [Microsoft Update listner...] The files common are: - injectt.exe (or inject.exe) - tback.dll - tinject.dll The backdoor is injected into LSASS.exe in all of my examples. More on this Trojan at: # http://www.megasecurity.org/trojans/w/wineggdrop/ Wineggdropshell_eternity.html # http://securityresponse.symantec.com/avcenter/venc/data/ backdoor.eggdrop.html Just curious, b/c I have found a few and I'm trying to confirm the attack vector. ~cam. Cam Beasley ITS - Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu --------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- Eggdrop Backdoors on TCP 145 and 2583 Cam Beasley, ISO (Jan 17)
- <Possible follow-ups>
- Re: Eggdrop Backdoors on TCP 145 and 2583 H. Morrow Long (Jan 17)
- Re: Eggdrop Backdoors on TCP 145 and 2583 Jeni Li (Jan 18)