Re: looking for help

[tina helbig <t.helbig () ecu edu au>]

In-Reply-To: <01c201c3a2d4$75b812b0$1208e592@MARS>

I too have had a similar incident on one of our Win2k servers but have not been able to define exactly what went on. 

We had a report of the following showing up in the logs - 
Oct 12 00:12:03 DENY proto tcp x.x.x.x:2984 167.28.103.30:4898 L=48 S=0x00 I=4343 F=0x4000 T=101 SYN
Oct 12 00:12:06 DENY proto tcp x.x.x.x:2984 167.28.103.30:4898 L=48 S=0x00 I=4848 F=0x4000 T=101 SYN

The following was found on this system.

WinLog
This executable was found to be running and I would suspect that it is not a valid winlog.exe file. This is usually 
placed on the system for observing sessions (keystroke logger?).

EventLog
This executable was found to be running and I would suspect that it is not a valid eventlog.exe file. I believe that it 
was there as an event log modifier so that certain events will not appear in the logs.

Fport
This file was on the server and is sometimes installed with the WinLog.exe and EventLog.exe.  In the case of a rogue 
fport.exe its usual functionality is to hide the rogue ports that are open.

Serv-U FTP was found to be installed and running on the server listening on port 8000.  Users listed in the ini file 
were Crew, MMC and leech3r.  Logging and associated log files were set to off.


r_server.exe possibly a RAT (Remote Administration Trojan).  As Symantec AntiVirus  did not find any viruses on the 
system, I can only assume that it was an installed RAT as apposed to a RAT dropped by a virus.  The installation batch 
file for this process is named lolipop.bat which carries out a silent install.  On my initial investigation the 
r_server process was not running and did not show up in the open ports listing.  After a reboot however it appeared as 
a running process listening on TCP port 8150.  There were numerous references to it in the registry.

mss .ini file which displayed the settings for P2P file sharing.

dir.mk.cmd which was a batch file that created a hidden directory “tracking”.  Within this directory it created 
directories \com1\lpt2\com1\a\ and then two directories stuff and curry.

Registry Entries (Spyware?)
Under the registry sub-tree [\HKEY_USERS\*SID Admin*\Software\Microsoft\Internet Explorer] the following was found.  It 
may be that there is or has been a spyware program on the server as there were references to “Explorer Bars”.

nmap reported the following open ports - 

SMTP mail server on port 25.
DNS Server on port 53.
IIS Web Server on port 80.
LDAP Server on port 389.
IIS Secure Web Server on port 443.
ncacn_http on port 593
Terminal Services port 3389
VNC Web Server on port 5800.
IIS Web Server on port 5838.
WinVNC http on port 5900
VNC protocol on port 5900
Serv-U ftpd on port 8000

Ethereal analysis of traffic appeared to be normal session traffic although of a limited nature due to being connected 
to a disabled port.

 
 





> We have recently discovered several hacked machines on our campus and have
> so far not been able to determine what vulnerability has been exploited. We
> have not been able to find references to this anywhere we have looked.
>
> The original breakin evidently occurred in June or on July 1st.  A file
> called "hax.bat" was placed on the victim machines, and the scheduler was
> set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5
> and this program installed several things including a keyboard logger
> (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on
> port 81 and/or 43958, and an account was created called AdminBackupexec, a
> remote admnistration server called r_server was installed. The last line in
> the file
> "hax.bat" was supposed to delete the file, but we found one victim machine
> on which delete failed, so have a copy of this file.
> In addition, virus software and firewall software was stopped.  Activation
> of the ftp service occurred on Oct. 15.  These systems have also been seen
> to begin scanning for real servers and apache vulnerabilities.
> We have not been able to find information on this on the internet, and since
> the original breakin seems to have been June or July, we do not have
> sufficient logs going back that far.  We also don't have the expertise that
> others have.  If anyone has a clue about this, we would appreciate any
> tidbit of information.
> Joyce Looger, Tony Wenden, Jerry Brown
> Computer and Network Services
> Universiy of Alabama in Huntsville
> 824-2607
>
>
> ---------------------------------------------------------------------------
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_incidents_031023
> and use priority code SF4.
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------