Full Disclosure mailing list archives
Server attacks stump Microsoft
From: admin () xenosystems org (Xsecurity.ws)
Date: Thu, 5 Sep 2002 14:29:54 +0100
August 30, 2002 PSS Hacking Alert The information in this article applies to: a.. Microsoft Windows 98 b.. Microsoft Windows 98 Second Edition c.. Microsoft Windows Millennium Edition d.. Microsoft Windows NT Workstation 4.0 e.. Microsoft Windows NT Server 4.0 f.. Microsoft Windows NT Server, Enterprise Edition 4.0 g.. Microsoft Windows 2000 Professional h.. Microsoft Windows 2000 Server i.. Microsoft Windows 2000 Advanced Server j.. Microsoft Windows 2000 Datacenter Server k.. Microsoft Windows XP 64-Bit Edition l.. Microsoft Windows XP Home Edition m.. Microsoft Windows XP Professional SUMMARY The Microsoft Product Support Services (PSS) Security Team is issuing an alert about an increased level of hacking activity that the PSS Security Team has been tracking. The activity seems to involve similar hacking attempts. These hacking attempts show similar symptoms and behaviors. The PSS Security team has isolated the major similarities. This article lists these similarities, so that you can take any appropriate action to: a.. Detect these hacking attempts. b.. Respond to any hacking attempts you detect. MORE INFORMATION Impact of Attack Compromise of computer, denial-of-service because of security policy changes. Symptoms You may experience one or more of the following symptoms: a.. Possible detection of Trojans such as Backdoor.IRC.Flood and its variants. This might include related Trojans with similar functionality. These Trojans may not necessarily be detected by your antivirus software after the hacker has made modifications to your computer. b.. Modification of the security policy on domain controllers. Some of the possible effects of a modified security policy are: a.. Previously-disabled guest accounts have been re-enabled. b.. Changed security permissions on your servers or in Active Directory. c.. No one can log on to the domain from the workstations. d.. Cannot open Active Directory snap-ins in the MMC. e.. Error logs show multiple failed logon attempts from legitimate users who were locked out. Technical Details Finding any backdoor Trojan indicates that the server is extremely vulnerable to privilege escalation and hacking. The following files and program have also been found on the computers that have been compromised: a.. Gg.bat Gg.bat attempts to connect to other servers as 'administrator', 'admin', or 'root'. It then looks for Flashfxp and Ws_ftp on the server, and then copies several files including Ocxdll.exe to the server. Gg.bat then uses the Psexec program to execute commands on the remote server. b.. Seced.bat Seced.bat changes the security policy. c.. Nt32.ini d.. Ocxdll.exe e.. Psexec f.. Ws_ftp g.. Flashfxp h.. Gates.txt If these files are found on your computer and they were not installed by you or with your knowledge, run a thorough virus scan with an up-to-date virus-scanning program. Prevention As of August 2002, the PSS Security Team has not been able to determine the technique that is being used to gain access to the computer. However, because of the significant spike in activity, the PSS Security Team has determined that these techniques are similar and/or automated in some cases. Fully-patched computers that follow security best practices provide the best protection from hacking or other malicious software. Recovery Because of the nature of hacking, there is almost no way to fully certify a computer as "clean" of all malicious software or changes that are made during the hack. If you are sure you have been hacked, Microsoft recommends you consult the CERT documentation about how to recover from a root compromise: http://www.cert.org/tech_tips/root_compromise.html If you believe that you have been hacked, you may want to contact your legal counsel or law enforcement about your legal options.
Current thread:
- GLSA: amavis Daniel Ahlberg (Sep 05)
- Server attacks stump Microsoft Xsecurity.ws (Sep 05)