Educause Security Discussion mailing list archives
Re: Eggdrop Backdoors on TCP 145 and 2583
From: Jeni Li <jeni.li () ASU EDU>
Date: Sun, 18 Jan 2004 11:30:05 -0700
FWIW, here are the whois records from ARIN for those IPs. ---------------------- 63.168.242.220 OrgName: KIREnet Communications OrgID: KIRENE-1 Address: po box 513 City: DIGHTON StateProv: MA PostalCode: 02751 Country: US NetRange: 63.168.242.0 - 63.168.243.255 CIDR: 63.168.242.0/23 NetName: FON-106803660850962 NetHandle: NET-63-168-242-0-1 Parent: NET-63-160-0-0-1 NetType: Reassigned Comment: RegDate: 2000-06-02 Updated: 2000-06-02 TechHandle: EMS2-ARIN TechName: Soroka, Erik TechPhone: +1-877-547-3638 TechEmail: erik () kirenet com ---------------------- 209.126.201.99 OrgName: California Regional Internet, Inc. OrgID: CALI Address: 8929A COMPLEX DRIVE City: SAN DIEGO StateProv: CA PostalCode: 92123 Country: US NetRange: 209.126.128.0 - 209.126.255.255 CIDR: 209.126.128.0/17 NetName: CARI NetHandle: NET-209-126-128-0-1 Parent: NET-209-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ASPADMIN.COM NameServer: NS2.ASPADMIN.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-03-12 Updated: 2003-07-01 AbuseHandle: ABUSE341-ARIN AbuseName: Abuse AbusePhone: +1-858-974-5080 AbuseEmail: abuse () cari net TechHandle: IC63-ARIN TechName: California Regional Intranet, Inc. TechPhone: +1-858-974-5080 TechEmail: sysadmin () cari net OrgTechHandle: SYSAD5-ARIN OrgTechName: sysadmin OrgTechPhone: +1-858-974-5080 OrgTechEmail: sysadmin () cari net
From: "H. Morrow Long" <morrow.long () YALE EDU> Reply-To: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Sat, 17 Jan 2004 15:21:44 -0500 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Eggdrop Backdoors on TCP 145 and 2583 Cam - We haven't seen that particular MO (but will be on the lookout for it now). What we did see in the past week was a compromise of a good number of PCs which had weak or blank passwords for administrative level accounts. The specifics were: They were initially running a rogue Serv-U FTP service at TCP port 8079 as well as an IRC proxy/bot. In addition they were connected to an IRC server on the Internet ( 63.168.242.220 which has a PTR rec to canonical DNS name "220.kireircd-biteme" which is not a real FQDN...). When we blocked access to TCP port 8079 inbound as well as access to IP address 63.168.242.220 ( "220.kireircd-biteme" ) we noticed that the compromised "zombie" PCs switched over to running the Serv-U FTP server at TCP port 81 instead and connected to a different IRC server to receive their commands ( IP address 209.126.201.99 DNS canonical name desire.of.hotgirlz.org which also has a CNAME I won't list here or this message won't make it through a lot of message filters). We primarily found this unnamed "worm/trojan" infection affecting NT 4.0 Workstation and Windows 2000 Professional PCs though there may have been an XP Pro PC (we are still checking). We caught on tape the PCs infected attempting to connect to TCP port 445 (microsoft-ds) on other PCs on our network and login as administrator using a number of guessed passwords -- and therefore believe this is the primary vector of infection. On compromised machines we found the following files associated with the attack: C:\WINNT\system32\svchost16.dll (config file for DCC?) C:\WINNT\system32\svchost32.dll (config file for DCC?) C:\WINNT\system\lsass.exe (Serv-U FTP server) C:\WINNT\system\dllcache.dll (PID?) C:\WINNT\system\svchost.exe (IRC proxy/bot server) C:\WINNT\system\sys32.dll (unknown) C:\WINNT\system\sys32.dll.bkup (unknown) C:\WINNT\system\winlogon.exe (FireDaemon utility - see http://www.firedaemon.com/ ) C:\winnt\system32\svchost.dat (DCC welcome message) C:\winnt\system32\svchost.dll (Cygwin DLL) The bogus winlogon.exe was a utility named firedaemon which was used to run processes as two bogus 'services' (which we believe were used in breaking into add'l PCs on the network and propagating): WIN2K (Cryptographic Services Helper) SETUP32 (Windows Time Helper) Norton, McAfee, etc. had no record of this worm / trojan combo. David Snyder, Matt Regan, Allison MacFarlan and several others at Yale worked to assemble the above information. - H. Morrow Long Director - Information Security Office Yale University, ITS On Jan 17, 2004, at 12:54 PM, Cam Beasley, ISO wrote:Anyone found Eggdrop backdoors listening on TCP 145 or 2583 in the past 3-4 days? TCP 145: [Login:] TCP 2583: [Microsoft Update listner...] The files common are: - injectt.exe (or inject.exe) - tback.dll - tinject.dll The backdoor is injected into LSASS.exe in all of my examples. More on this Trojan at: # http://www.megasecurity.org/trojans/w/wineggdrop/ Wineggdropshell_eternity.html # http://securityresponse.symantec.com/avcenter/venc/data/ backdoor.eggdrop.html Just curious, b/c I have found a few and I'm trying to confirm the attack vector. ~cam. Cam Beasley ITS - Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu --------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Eggdrop Backdoors on TCP 145 and 2583 Cam Beasley, ISO (Jan 17)
- <Possible follow-ups>
- Re: Eggdrop Backdoors on TCP 145 and 2583 H. Morrow Long (Jan 17)
- Re: Eggdrop Backdoors on TCP 145 and 2583 Jeni Li (Jan 18)