FireDeamon exploit

["Curt Purdy" <Purdy () TecMan com>]

We investigated an incident today of a compromised fully patched W2K server
running a DDoS attack sucking up their entire t1.  Entry was gained through
a user account with blank password given "temporary" adminstrative rights
for installation of a program.
They installed a kit with Servu FTP server and FireDaemon service installer
along with smt, netcat, kill, psservices, info, cygwin1.dll and various
other tools in C:\winnt\system32\spool\w42x86 as their initial location.
Also find start32.bat that deletes C$, IPC$, and Admin$ shares. Find they
installed two illicit services, "Server Adminstrator" and mr2kserv. Find a
scheduled task called AT2 that runs ServUDaemon.ini one time.
Their intentions obviously included providing a warez server. Find that they
had not yet uploaded any files and were using it strictly for DDoS.  Luckily
we caught it within 24 hours of compromise, tipped off by our remote network
monitoring showing unusual outbound traffic at the client.

Curt Purdy MCSE+I, CNE, CCNA, CCDA
Information Security Engineer
DP Solutions
cpurdy () dpsol com

----------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com