Security Incidents mailing list archives
Re: compromised machines
From: "Brian Eckman" <eckman () umn edu>
Date: Thu, 26 Aug 2004 18:43:58 -0500
Are you sure they were compromised "through" IRC bots, or just that they had them installed? It wouldn't surprise me if they were running bots, but I'd guess they were XDCC bots to serve up the Warez, and not something like Agobot, Polybot or Spybot, which compromise computers. They were probably compromised via weak Windows account passwords. This is pretty common in the FxP scene. They get a hold of one host in your network, then install a backdoor like VNC, Radmin or even the built-in Windows Telnet Server (sometimes configured to run on a high port), then use that computer to launch attacks at the rest. This prevents your edge IDS from noticing the mass amounts of password guessing. AntiVirus won't detect their kits, because there is nothing malicious in them. Eggdrop (or similar), ServU FTP (most common, but occasionally another will be used), psexec and Radmin are good admin tools. It's just unfortunate when someone who shouldn't be an admin installs them on your box. The Windows 2000 boxes might be probed for a list of user accounts and have a list of passwords thrown at all of the accounts that are a member of the Administrators account. This is simple, as Windows 2000 by default allows the enumeration of users and groups via a null session. This makes them much easier targets, as they might have a very difficult to guess Administrator account, but when the username is joeblow and the password is joeblow, and that user is a member of the administrators group, it becomes trivial for these folks to compromise it. Windows XP is a little tougher, as the enumeration of users and groups via a null session is turned off by default. However, it is extremely likely that an account called "administrator" exists and is a member of administrators, so they will typically throw guesses at that account when they can't get a list of usernames. If they crack a multi user computer (Windows 2000 Server comes to mind), they will sometimes run pwdump2 or pwdump3 to get a list of hashes, then try to obtain the other user accounts' passwords that way. Then, they'll add those passwords to their dictionary. Also, their scanning tool typically tries the username as the password, so if you have a username not in their dictionary, but their password is the same as their username, it'll get 0wned, and they'll add that to their dictionary too. To catch them accessing their FTP backdoor (hey, prevention is ideal, but detection is a *must*), add a Snort rule similar to this: alert tcp $EXTERNAL_NET 1025: -> $HOME_NET !21 (msg: \ "non-standard ftp daemon log in"; content:"USER "; depth:5; offset:0; \ dsize:<25; nocase; classtype:trojan-activity;) You'll have to tune the above some, as it will have false positives with POP logons and Sasser backdoor attempts, along with others I'm sure. You can always change it to "$HOME_NET 6544", but if they change ports on you, you're blind again. To prevent this (ideal), implement a password policy. Get approval from management to use the hacker tools against your own network, looking for boxes with weak authentication. Preferably use something like LC5 which won't tell you the password, just that it was broken (CYA). Tell users they have to turn off File and Print sharing unless it is absolutely necessary to do their job. Tell admins to remove the ability of people to enumerate users and groups via a NULL session, on their workstations and servers. Require that server admins remove LANMAN hashes from their server, so when it gets hacked, the SAM file on it isn't a goldmine of passwords, but instead at least makes the attackers work for their keep. Brian -- Brian Eckman Security Analyst University of Minnesota ----- Original Message ----- From: "Varun Pitale" <varun.pitale () gmail com> To: <incidents () securityfocus com> Sent: Thursday, August 26, 2004 1:35 PM Subject: compromised machines last week, I had around 78 machines compromised through IRC bots and all of them running a ftp server on port 6544 with the following banner: 220-Serv-U FTP Server v5.0 for WinSock ready... 220-. 220-. 220- ¨¨°º©o.,,.o© HacKed By EvilzCrew ©o.,,.o©º°¨¨ 220-. 220-. 220- 220- ---= SERVER --- 220-----> Le Server est Up depuis 0 Jour: 14 Heure: 52 Min 220-----> Nous somme le Saturday 14 August, 2004 il est 14:27:36 Sur le Server 220- 220- ---= TRANSFERTS --- 220-----> Vitesse : moyenne : 0.261 kb/sec 220-----> Download total : 20 Kb 220-----> Upload total : 13977 Kb 220- 220- ---= UTILISATEURS --- 220-----> Votre IP : x.x.x.x 220-----> Vous etes 1 connectes 220-----> TotaL Users Logged In : 6 Users 220- 220- ---= RESPECT THIS STUFF --- We cleaned up all of these machines and rebuilt each of them from scratch, with all the latest patches. The IDS/IPS at the edge of our network, does not seem to be catching the bots which are causing these. After one week, I have 50 machines which are compromised by the same bot, and some of them are the same as the previous list of machines. Now a host-based firewall is a very tough option for us, since we are a university with around 30,000 computers and under different departments. Does anyone know what bots are causing these and any IDS signatures for these. We are using a couple of IDS such as snort and Dragon and Intrushield, Any help for this is appreciated. I did have a look at one of these machines and from what I see, there are a couple of files which seem to be causing this. there is a csmss.exe file which is listening on the port 6544.. The machine is also running a remote server. before csmss.exe, a file ServNT.exe seems to have been executed, which might have caused a sequence of events.. there is a batch file , which using the registry runs a remote admin server at startup. then we got a number of files which are used to show the banner, hide the files . If I could find out how did they get inside the system, because most of the infected machines were running fully patched Windows XP with latest Norton Antivirus definitions.? All of those machines are running either Windows 2000 professional or XP professional. 2 machines wer analysed, one of which was completely ptched and had all the latest virus definitions from Norton, another machine was not patched and no virus updates were present.. But the state of affairs at both the machines was the same.. themessage sent before contains the details.. on more analysis, I found csmss.exeto be a part of W32.Dedler Trojan.. but how it got inside the system is anyone's guess.. None of them was running IIS. -- Regards, Varun (704)-548-8793 --(Home) (704)-241-0092 --(Mobile) mailto: varun.pitale_(at)_gmail_(dot)_com
Current thread:
- compromised machines Varun Pitale (Aug 26)
- Re: compromised machines Brian Eckman (Aug 27)
- Re: compromised machines Scott Weeks (Aug 27)
- Re: compromised machines Mike Lyman (Aug 30)
- Re: compromised machines bob (Aug 31)
- Re: compromised machines Mike Lyman (Aug 30)
- Re: compromised machines Harlan Carvey (Aug 27)
- Re: compromised machines Michael H. Warfield (Aug 30)
- Re: compromised machines Jose Maria Lopez (Aug 30)
- <Possible follow-ups>
- Re: compromised machines soccer4net () netzero com (Aug 27)