TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid

[Netw3 Security Research <nospamnetw3 () premis lod com>]

Greetings. This is a basic analysis and a few questions-

I've come across a system that appears to have been compromised. It is a
Win2K advanced server, and during analysis I found that the DameWare remote
control agent version 3.51.1.0 has been installed, which allows remote GUI
access by an unauthorized party. The DameWare application is running as a
service and listens on TCP port 6129 by default. The attacker has installed
the Dameware server application in the default location
C:\WINNT\SYSTEM32\DWRCS.EXE and DWRCK.DLL. The owner of the executable is
the Administrators group. DWRCS.EXE can be used through command line to
install, uninstall, or change the listening port, so any exploit that would
have allowed the attacker to execute any command line could have been used. 

I downloaded the most recent version of the dameware mini remote control
from their website (dameware.com) and this installation created an icon in
the system tray and introduced several files into the WINNT/System32
directory, as opposed to the two files from version 3.51.1.0. Perhaps the
attacker was unable to perform the full install, or perhaps they had
cleaned their tracks and had forgotten to remove these two associated files.

My attempts to use a current DameWare client to connect to the agent
previously installed by the attacker prompted for various types of
authentication, leading me to believe that an account had been compromised,
either due to poor password choice or from some other method, and that this
account was used to connect to the DameWare agent. However, the agent could
have been a hacked version that does not require authentication, or could
contain some other type of backdoor. As a matter of fact, the server
antivirus app (Netshield) reported the presence of the Backdoor-RQ trojan,
located at C:\WINNT\System32\SRV1984.exe. The file no longer was present on
the system, but I have found a few references to SRV1984 on some
non-english web sites, particuarly some sites in China. 

http://hongniao.diy.163.com/download/houmen.htm
http://www.sandflee.net/liu/liuyan/index.asp?user=sandflee&page=4

NAI says this about the RQ trojan:

"BackDoor-RQ is a patched copy of the Netcat v1.10 NT application/utility.
This patch causes Netcat to act as a remote console server on port 80 and
suppresses console messages on the server." 

and

"As an isolated program, this trojan must be run manually on the targeted
system. However, BackDoor-RQ is known to be used in conjunction with other
applications and utilities by an attacker. Other programs or trojans may be
used to execute and suppress the window mentioned as a symptom of this
trojan. "

What other applications and utilities are they referring to here? Does
anyone have any more detailed information?

The system was already running IIS on port 80 - of course, the attacker
could have disabled it for a while, then set up the RQ trojan in it's place
and then restarted IIS. I also came across two unusual instances of
"IIS.EXE" running on high TCP ports (as seen by fport)

3380  iis            ->  15666 TCP   C:\WINNT\SYSTEM32\iis.exe     
3380  iis            ->  17890 TCP   C:\WINNT\SYSTEM32\iis.exe     

Telnet to port 17890 displays the contents of the
c:\winnt\system32\login.txt file, with connection specific variables
displayed:

220-Hacked By Seminarian
220-=======================================================
220-        Hacked By Seminarian For Team Liquid
220-=======================================================
220-Your IP                     : <sanitized>
220-=======================================================
220-Kb Received                 : 0 kb
220-Kb Send                     : 0 kb
220-=======================================================
220-Average Speed               : 0.000 KB/sec
220-Current Speed               : 0.000 KB/sec
220-Users Connected             : 1
220-Users since ServerStart     : 1
220-=======================================================
220-Free space                  : 2239.41MB MB
220-=======================================================
220-Server Uptime               : 0 Days, 10 Hours
220 =======================================================

Typing HELP reveals the following (looks like an FTP server of sorts)

214- The following commands are recognized (* => unimplemented).
   USER    PORT    RETR    ALLO    DELE    SITE    XMKD    CDUP
   PASS    PASV    STOR    REST    CWD     STAT    RMD     XCUP
   ACCT    TYPE    APPE    RNFR    XCWD    HELP    XRMD    STOU
   REIN    STRU    SMNT    RNTO    LIST    NOOP    PWD     SIZE
   QUIT    MODE    SYST    ABOR    NLST    MKD     XPWD    MDTM


The site was running many unnecessary services, and was behind on it's
patches, so there are many ways that an attacker could gain access, however
I was unable to determine the exact course of the attack with all of my
usual methods. More analysis is pending.

If anyone has any further information, or if you have seen this specific
attack or EXE before, or know anything about Team Liquid, please leave a
reply or send an email to my address -nospam above.




Curt Wilson
Netw3 Security Research
www.netw3.com
netw3 () premis lod.c0m



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com