Security Incidents mailing list archives

NT Compromise

From: Eric Hines <eric3+ () pitt edu>
Date: Wed, 19 Dec 2001 14:45:43 -0500

Hey all,

I am responding to several compromised NT boxes and am trying to find a
utility that will allow you to see what program is bound to a particular
port. I think I've seen one that shows what ports are bound to
command.com, but need something similar for other programs/trojans/etc.
Is there something available? Has anyone seen a compromised NT box with
port 6667 open that does not seem to be running an IRCD? Check out the
below snippit from netstat. I've tried connecting to the 6667 port with
MiRC.. Nothing at all! I need to find out what process/application
opened this port. On this note, can anyone recommend a good forensics
toolkit for Windows to be used on compromised machines?

C:\ netstat -an
-- snip --
TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING
-- snap --

2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is?
I am seeing a compromised NT box full of such logs in the event/security
viewer. Logs have been pasted below. Notice all of the different
hostnames/machines its attempting to access. Add 70 something other
machines to the below list. What is it and is this a sign of a definate
compromise?

12/17/01 1:16:26 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to READING.
12/17/01 1:15:11 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to STEELSRV.
12/17/01 1:14:01 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to PUBLICSAFETY1.
12/17/01 1:12:51 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to ANITRA-00.
12/17/01 1:10:41 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to SRFS-PDC.
12/17/01 1:09:31 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to GODZILLA.
12/17/01 1:08:21 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to SDMWWW.
12/17/01 1:07:11 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to EXCHANGE.
12/17/01 1:06:01 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to PICASSO.
12/17/01 1:04:51 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to PITT-TV3.
12/17/01 1:03:51 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to COMPUTERZ.
12/17/01 1:02:36 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to SDMGENETICS1.
12/17/01 1:01:36 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to BOHNER2.
12/17/01 1:00:36 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to CALIBAN.

Please advise!
Eric

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

NT Compromise Eric Hines (Dec 19)
- RE: NT Compromise Jignesh Pathak (Dec 19)
  - RE: NT Compromise Matthew Leeds (Dec 19)
- Re: NT Compromise Nexus (Dec 19)
- Re: NT Compromise H C (Dec 20)
- Re: NT Compromise Paulo Braga (Dec 20)
- <Possible follow-ups>
- Re: NT Compromise Christine Merey (Dec 19)
- NT Compromise MALIN, ALEX (PB) (Dec 19)