Security Incidents mailing list archives
Re: Compromised Win2000 machine.
From: ghb the irrepressible <ghb () drug org>
Date: 29 May 2002 03:42:17 -0000
In-Reply-To: <3CF3E55D.8030702 () drexel edu> Hello This post is a perfect example of current script kiddy trends. If you join any of the larger channels on irc.newnet.net, irc.evilsync.net, and so forth, you will see that all of the 'leech fserves' in these channels are compromised windows machines. (usually .edu's). I would wager that these groups are hacking win2k boxes on fast networks en-masse.. using something lame and well known like the Unicode or HTR exploit (for shame!) or possibly the recent .ASP exploit. These groups are compiling their own rootkit/backdoors from well-documented open source utilities such as DSNX (www.dataspy.net). The main function of these backdoors, as you have seen, is to provide remote FTP access to the compromised host (for uploading more 0day warez and DIVX movies), run an identd server if required, and connect to a pre-configured IRC network and channel. The server then acts as an irc Fserve, allowing anyone in the channel to queue up files to download. I would also wager that port 99 is a copy of ncx99.exe - this was used as the default bindport for a couple of win32 exploits (original iishack?) It is a modified version of nc.exe configured to spawn a cmd.exe shell on port 99. This simple backdoor is favored by script kiddies and the like because it does not require any command line arguments. These groups often advertise their efforts in the channel topics on irc.newnet.net - ">100 .edu 100mbit bots! Leech! Latest releases!' They also advertise "we need couriers, dumps, carders, rooters (?), coders and rippers - contact XYZWareZGuy!" Maybe someone should join these channels, #warez-excell etc, and scan all the fserve hosts for ports 99 and 4160... if port 99 is indeed a netcat/cmd.exe backdoor, a script could be written to mass-patch or disable these IRC bots ;) They deserve it for being so damn open about their activites. Warez kids used to have a clue ! i remain ghb
Today i found a windows machine located in our
dorms that had
been compromised, but unlike most of the compromised
machines i see come
out of the dorms the Admin password was actually set and
it was set to
something other than NULL or Administrator. The attacker
set up 2
Serv-U ftpd's on the host on high ports 23432 and 65531 to
be exact,
they also installed a warez eggdrop bot that connects to
the newnet IRC
Network and servs via the #warez-excell channel.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Compromised Win2000 machine., (continued)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- RE: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Daniel Hay (May 29)
- Re: Compromised Win2000 machine. Mark Newby (May 29)
- Re: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Patrick Andry (May 29)
- Re: Compromised Win2000 machine. H C (May 30)
- Re: Compromised Win2000 machine. - Follow UP Daniel Hay (May 30)
- Re[2]: Compromised Win2000 machine. Joris De Donder (May 31)
- Re: Re[2]: Compromised Win2000 machine. H C (May 31)
- RE: Compromised Win2000 machine. Don Weber (May 29)