Re: Compromised Win2000 machine.

[ghb the irrepressible <ghb () drug org>]

In-Reply-To: <3CF3E55D.8030702 () drexel edu>

Hello

This post is a perfect example of current script kiddy 
trends. If you join any of the larger channels on 
irc.newnet.net, irc.evilsync.net, and so forth, you will 
see that all of the 'leech fserves' in these channels are 
compromised windows machines. (usually .edu's).

I would wager that these groups are hacking win2k boxes on 
fast networks en-masse.. using something lame and well 
known like the Unicode or HTR exploit (for shame!) or 
possibly the recent .ASP exploit.

These groups are compiling their own rootkit/backdoors from 
well-documented open source utilities such as DSNX 
(www.dataspy.net). The main function of these backdoors, as 
you have seen, is to provide remote FTP access to the 
compromised host (for uploading more 0day warez and DIVX 
movies), run an identd server if required, and connect to a 
pre-configured IRC network and channel. The server then 
acts as an irc Fserve, allowing anyone in the channel to 
queue up files to download.

I would also wager that port 99 is a copy of ncx99.exe - 
this was used as the default bindport for a couple of win32 
exploits (original iishack?) It is a modified version of 
nc.exe configured to spawn a cmd.exe shell on port 99. This 
simple backdoor is favored by script kiddies and the like 
because it does not require any command line arguments.

These groups often advertise their efforts in the channel 
topics on irc.newnet.net - ">100 .edu 100mbit bots! Leech! 
Latest releases!' They also advertise "we need couriers, 
dumps, carders, rooters (?), coders and rippers - contact 
XYZWareZGuy!"

Maybe someone should join these channels, #warez-excell 
etc, and scan all the fserve hosts for ports 99 and 4160... 
if port 99 is indeed a netcat/cmd.exe backdoor, a script 
could be written to mass-patch or disable these IRC bots ;)

They deserve it for being so damn open about their 
activites. Warez kids used to have a clue !

i remain

ghb









>          Today i found a windows machine located in our 
dorms that had 
> been compromised, but unlike most of the compromised 
machines i see come 
> out of the dorms the Admin password was actually set and 
it was set to 
> something other than NULL or Administrator.  The attacker 
set up 2 
> Serv-U ftpd's on the host on high ports 23432 and 65531 to 
be exact, 
> they also installed a warez eggdrop bot that connects to 
the newnet IRC 
> Network and servs via the #warez-excell channel. 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com