NT Compromise

["MALIN, ALEX (PB)" <am7861 () sbc com>]

Hello Eric,

That's an interesting problem that you have there.  I would say that it is
*possible* at this point that you are working on a box that has been
compromised (especially when one considers that you are sending from a
school email account and one assumes that the machine you are diagnosing is
also in that school network).  There really isn't a file per se that
determines the redirector.  The redirector is a logical system for
determining whether or not resources on a system need to be found by
requesting locally, or requesting remotely.  I can't tell you what exactly
is running on 6667 (though it could be IRC that just isn't responding
because your redirector appears to be broken).  If your redirector is
broken, then it stands a good chance of breaking other apps.  Before you can
diagnose this machine further (to determine what the app is on that port) I
would say that you need to fix the redirector (usually achieved by
reinstalling network drivers and protocols--though a complete restore is
also possibly necessary)... of course, if this machine is to be entered in
as evidence in some sort of legal case, you'll obviously need to back it up
first.

As far as all those security logs go, you should consider that since your
redirector is likely broken, you machine isn't properly able to serve up any
sort of requests (be they netBIOS, NTDS, Kerberos, etc), and is likely
logging all of these failed requests as such.  Of course, this could also be
some other sort of network problem as well... but based on what you're
telling me, that's my guess.  If you get me a little more input, I can
probably produce a little more output for you.

Alex 'the bossman' Malin

-----Original Message-----
From: Eric Hines [mailto:eric3+ () pitt edu]
Sent: Wednesday, December 19, 2001 11:46 AM
To: incidents () securityfocus com
Subject: NT Compromise


Hey all,

I am responding to several compromised NT boxes and am trying to find a
utility that will allow you to see what program is bound to a particular
port. I think I've seen one that shows what ports are bound to
command.com, but need something similar for other programs/trojans/etc.
Is there something available? Has anyone seen a compromised NT box with
port 6667 open that does not seem to be running an IRCD? Check out the
below snippit from netstat. I've tried connecting to the 6667 port with
MiRC.. Nothing at all! I need to find out what process/application
opened this port. On this note, can anyone recommend a good forensics
toolkit for Windows to be used on compromised machines?

C:\ netstat -an
-- snip --
  TCP    0.0.0.0:6666           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6667           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6668           0.0.0.0:0              LISTENING
-- snap --



2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is?
I am seeing a compromised NT box full of such logs in the event/security
viewer. Logs have been pasted below. Notice all of the different
hostnames/machines its attempting to access. Add 70 something other
machines to the below list. What is it and is this a sign of a definate
compromise?

12/17/01        1:16:26 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to READING. 
12/17/01        1:15:11 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to STEELSRV. 
12/17/01        1:14:01 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to PUBLICSAFETY1. 
12/17/01        1:12:51 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to ANITRA-00. 
12/17/01        1:10:41 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to SRFS-PDC. 
12/17/01        1:09:31 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to GODZILLA. 
12/17/01        1:08:21 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to SDMWWW. 
12/17/01        1:07:11 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to EXCHANGE. 
12/17/01        1:06:01 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to PICASSO. 
12/17/01        1:04:51 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to PITT-TV3. 
12/17/01        1:03:51 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to COMPUTERZ. 
12/17/01        1:02:36 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to SDMGENETICS1. 
12/17/01        1:01:36 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to BOHNER2. 
12/17/01        1:00:36 PM      Rdr     Warning None    3013    N/A
INTERACT        The redirector
has timed out a request to CALIBAN. 


Please advise!
Eric




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com