Security Incidents mailing list archives
Re: compromised machines
From: Scott Weeks <surfer () mauigateway com>
Date: Thu, 26 Aug 2004 12:13:32 -1000 (HST)
Are you sure they didn't crack the passwords? Do you have 'strong' passwords on the machines? scott On Thu, 26 Aug 2004, Varun Pitale wrote: : last week, I had around 78 machines compromised through IRC bots and : all of them running a ftp server on port 6544 with the following : banner: : : 220-Serv-U FTP Server v5.0 for WinSock ready... : 220-. : 220-. : 220- ?????o.,,.o? HacKed By EvilzCrew ?o.,,.o????? : 220-. : 220-. : 220- : 220- ---= SERVER --- : 220-----> Le Server est Up depuis 0 Jour: 14 Heure: 52 Min : 220-----> Nous somme le Saturday 14 August, 2004 il est 14:27:36 Sur le Server : 220- : 220- ---= TRANSFERTS --- : 220-----> Vitesse : moyenne : 0.261 kb/sec : 220-----> Download total : 20 Kb : 220-----> Upload total : 13977 Kb : 220- : 220- ---= UTILISATEURS --- : 220-----> Votre IP : x.x.x.x : 220-----> Vous etes 1 connectes : 220-----> TotaL Users Logged In : 6 Users : 220- : 220- ---= RESPECT THIS STUFF --- : : We cleaned up all of these machines and rebuilt each of them from : scratch, with all the latest patches. The IDS/IPS at the edge of our : network, does not seem to be catching the bots which are causing : these. : After one week, I have 50 machines which are compromised by the same : bot, and some of them are the same as the previous list of machines. : Now a host-based firewall is a very tough option for us, since we are : a university with around 30,000 computers and under different : departments. Does anyone know what bots are causing these and any IDS : signatures for these. We are using a couple of IDS such as snort and : Dragon and Intrushield, Any help for this is appreciated. : I did have a look at one of these : machines and from what I see, there are a couple of files which seem : to be causing this. : there is a csmss.exe file which is listening on the port 6544.. The : machine is also running a remote server. : before csmss.exe, a file ServNT.exe seems to have been executed, which : might have caused a sequence of events.. there is a batch file , which : using the registry runs a remote admin server at startup. then we got : a number of files which are used to show the banner, hide the files . : If I could find out how did they get inside the system, because most : of the infected machines were running fully patched Windows XP with : latest Norton Antivirus definitions.? : All of those machines are running either Windows 2000 professional or : XP professional. : 2 machines wer analysed, one of which was completely ptched and had : all the latest virus definitions from Norton, another machine was not : patched and no virus updates were present.. But the state of affairs : at both the machines was the same.. themessage sent before contains : the details.. : on more analysis, I found csmss.exeto be a part of W32.Dedler : Trojan.. but how it got inside the system is anyone's guess.. : : None of them was running IIS. : : : : -- : Regards, : Varun : (704)-548-8793 --(Home) : (704)-241-0092 --(Mobile) : mailto: varun.pitale_(at)_gmail_(dot)_com : :
Current thread:
- compromised machines Varun Pitale (Aug 26)
- Re: compromised machines Brian Eckman (Aug 27)
- Re: compromised machines Scott Weeks (Aug 27)
- Re: compromised machines Mike Lyman (Aug 30)
- Re: compromised machines bob (Aug 31)
- Re: compromised machines Mike Lyman (Aug 30)
- Re: compromised machines Harlan Carvey (Aug 27)
- Re: compromised machines Michael H. Warfield (Aug 30)
- Re: compromised machines Jose Maria Lopez (Aug 30)
- <Possible follow-ups>
- Re: compromised machines soccer4net () netzero com (Aug 27)