Educause Security Discussion mailing list archives
Re: Eggdrop Backdoors on TCP 145 and 2583
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Sat, 17 Jan 2004 15:21:44 -0500
Cam - We haven't seen that particular MO (but will be on the lookout
for it now).
What we did see in the past week was a compromise of a good number of
PCs which had weak or blank passwords for administrative level
accounts.
The specifics were:
They were initially running a rogue Serv-U FTP service at TCP port
8079 as
well as an IRC proxy/bot. In addition they were connected to an IRC
server
on the Internet ( 63.168.242.220 which has a PTR rec to canonical
DNS name
"220.kireircd-biteme" which is not a real FQDN...).
When we blocked access to TCP port 8079 inbound as well as access to
IP address 63.168.242.220 ( "220.kireircd-biteme" ) we noticed that the
compromised "zombie" PCs switched over to running the Serv-U FTP
server at TCP port 81 instead and connected to a different IRC server
to receive their commands ( IP address 209.126.201.99 DNS canonical
name desire.of.hotgirlz.org which also has a CNAME I won't list here or
this message won't make it through a lot of message filters).
We primarily found this unnamed "worm/trojan" infection affecting NT
4.0
Workstation and Windows 2000 Professional PCs though there may have
been an XP Pro PC (we are still checking). We caught on tape the PCs
infected attempting to connect to TCP port 445 (microsoft-ds) on other
PCs
on our network and login as administrator using a number of guessed
passwords -- and therefore believe this is the primary vector of
infection.
On compromised machines we found the following files associated with
the attack:
C:\WINNT\system32\svchost16.dll (config file for DCC?)
C:\WINNT\system32\svchost32.dll (config file for DCC?)
C:\WINNT\system\lsass.exe (Serv-U FTP server)
C:\WINNT\system\dllcache.dll (PID?)
C:\WINNT\system\svchost.exe (IRC proxy/bot server)
C:\WINNT\system\sys32.dll (unknown)
C:\WINNT\system\sys32.dll.bkup (unknown)
C:\WINNT\system\winlogon.exe (FireDaemon utility - see
http://www.firedaemon.com/ )
C:\winnt\system32\svchost.dat (DCC welcome message)
C:\winnt\system32\svchost.dll (Cygwin DLL)
The bogus winlogon.exe was a utility named firedaemon which was
used to run processes as two bogus 'services' (which we believe were
used in
breaking into add'l PCs on the network and propagating):
WIN2K (Cryptographic Services Helper)
SETUP32 (Windows Time Helper)
Norton, McAfee, etc. had no record of this worm / trojan combo.
David Snyder, Matt Regan, Allison MacFarlan and several others at Yale
worked to assemble the above information.
- H. Morrow Long
Director - Information Security Office
Yale University, ITS
On Jan 17, 2004, at 12:54 PM, Cam Beasley, ISO wrote:
Anyone found Eggdrop backdoors
listening on TCP 145 or 2583 in
the past 3-4 days?
TCP 145: [Login:]
TCP 2583: [Microsoft Update listner...]
The files common are:
- injectt.exe (or inject.exe)
- tback.dll
- tinject.dll
The backdoor is injected into LSASS.exe
in all of my examples.
More on this Trojan at:
#
http://www.megasecurity.org/trojans/w/wineggdrop/
Wineggdropshell_eternity.html
#
http://securityresponse.symantec.com/avcenter/venc/data/
backdoor.eggdrop.html
Just curious, b/c I have found a few
and I'm trying to confirm the attack vector.
~cam.
Cam Beasley
ITS - Information Security Office
The University of Texas at Austin
cam () mail utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
---------------------------
**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
smime.p7s
Description:
Current thread:
- Eggdrop Backdoors on TCP 145 and 2583 Cam Beasley, ISO (Jan 17)
- <Possible follow-ups>
- Re: Eggdrop Backdoors on TCP 145 and 2583 H. Morrow Long (Jan 17)
- Re: Eggdrop Backdoors on TCP 145 and 2583 Jeni Li (Jan 18)