RE: I think I've been hacked...please help!

[H C <keydet89 () yahoo com>]

Jamie

> Netstat reveals anywhere from 5 to 15 hosts
> connecting within seconds of boot.

Can you pipe the output to a file and post it?  Your
above statement is very indefinite...for example, what
domains/countries are these hosts from?  What port are
they connecting to on the "victim" system, or is the
"victim" system connecting to them?  
 
> When I scan the machine using something like Retina,
> I get nothing
> unusual...139 (bad, I know) 1025, etc.  No high
> ports.

First off, port scanning the machine from the outside
does no good whatsoever.  I've been saying that in
posts on this list, as well as Security-Basics, for
quite a while.
 
> I did install ZA and found win.exe doing most of the
> damage so I "adjusted"
> ZA to reduce the number of connections.


 
> I'm going back today to run Fport and others to try
> to determine more
> info....I now believe that this is something new or
> a significant variation of several older exploits.

Okay, this is where I tend to get a little concerned. 
I say that b/c as of yet, you really haven't done a
detailed investigation, but you seem to have formed an
opinion of what the issue is.  This will tend to skew
your investigation...since you don't seem to have much
experience performing incident response activities,
it's likely that anything you do will generally be
guided toward proving that hypothesis, rather than
attempting to determine what happened.
 
> Put a sniffer in place last night....going to
> retrieve info today.

What sniffer are you using?  Is it a hardware or
software sniffer?  If it's software (ie, tcpdump,
snort, etc), which system is it running on?
 
> These are all Win2K Pro, looks like they have not
> been patched.....yet....no IIS services.

How have you confirmed this?  I know your first
reaction will be to say, "by looking at the box", but
with regards to an incident response methodology, I
would have to ask "how" you looked at the box?  Did
you check the running services?  
 
> Called some friends at SANS and McAffee....they are
> scratching their heads also.  This is weird.

Probably b/c you haven't pulled together an adequate
amount of info in one place yet.  

I'll give you an example.  In the Incident Response
course I teach, one of the lab exercises we run is to
install netcat (nc.exe) on a system, but put it in
c:\winnt\system32 and call it "inetinfo.exe".  The
'trojan' is then launched to listen on port 80.  Most
admins only check the Task Manager and will see
inetinfo.exe running...something they are used to
seeing on systems running IIS.  Every now and then,
one will run netstat and see something listening on
port 80. 

The point is that any file on a system can be called
anything.  An executable file can be given any name
and executed.  Most trojans/backdoors are configurable
to allow them to listen on any arbitrary port. 
Therefore, relying solely on the name of a file, or
the output of netstat or a port scan, can really be
inconclusive.
 
> More to follow.

Hopefully, command output captures and maybe even
packet captures.

For commands, I would recommend the following:

netstat -an (NOTE: add '-o' is using XP)
nbtstat -c
pslist
pulist
listdlls/handle
fport

**If you're really interested in some detailed process
information, go to NTSecurity.nu and get
pmdump.exe...it will dump the process memory for a
designated PID

psservice
drivers.exe (RK)
psuptime
autoruns (from SysInternals...shows the contents of
locations in the file system and Registry that start
programs on system start)
lads (from Heysoft.de...check for alternate data
streams)

DumpSec (you want to get users, user rights, etc)
dir /s /od /ta c:\*
auditpol (From the RK)
DumpEvt or dumpevt.pl
(http://patriot.net/~carvdawg/perl.html)

This is a good place to start.  Since you think you've
already identified the incriminating file (win.exe),
maybe you could make a copy of it (*after* capturing
the MAC times, file owner, permissions, full path, as
well as any reference to the file in the Registry or
any other file on the system) and run it through
strings.exe, depends.exe, and VFI.exe (visual file
information...gets things like version and
manufacturer strings, if available).

Whatever you do end up deciding to do, I'd like to
just ask that you fully document what you do,
particularly if you're looking for help or assistance.
 "I looked at the box" doesn't say
anything...different tools and utilities have
different effects on the system.  For example, it's
better to use tools that are known to *not* alter MAC
times when examining the file system.

If you have any specific questions, please feel free
to drop me a line.


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com