Security Incidents mailing list archives
Compromised Win2000 machine.
From: Daniel Hay <dhay () drexel edu>
Date: Tue, 28 May 2002 16:15:25 -0400
Hey,Today i found a windows machine located in our dorms that had been compromised, but unlike most of the compromised machines i see come out of the dorms the Admin password was actually set and it was set to something other than NULL or Administrator. The attacker set up 2 Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact, they also installed a warez eggdrop bot that connects to the newnet IRC Network and servs via the #warez-excell channel. The thing that puzzles me and i've not been able to get any information on it through web searches and mailing lists so far, on port 4160 there seems to be a login prompt. When you nc to the port you are presented with the following
[dhay@ob-1 dhay]$ nc compromise.host.edu 4160 Login: administrator Invalid password!!! login: An nc to the auth port (113) yields [dhay@ob-1 dhay]$ nc 144.118.217.84 113 934 , 6667 : USERID : UNIX : bitchI'm hoping someone notices the shift from Uppercase "L" in login to lower case after you fail to login and recognizes it as a known backdoor? or something similar... does anyone know of any canned rootkits ( for want of a better term ) that acts in the way i've described above? I'll paste the output of nmap -sS -sU -p 1-65535 below
Port State Service99/tcp open metagram 113/tcp open auth 135/tcp open loc-srv 135/udp open loc-srv 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 445/tcp open microsoft-ds 445/udp open microsoft-ds 500/udp open isakmp 1025/tcp open listen 1026/udp open unknown 4160/tcp open unknown 23432/tcp open unknown 65531/tcp open unknown
CheersDanny Drexel University
Network Security Engineer ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised Win2000 machine. Daniel Hay (May 28)
- Re: Compromised Win2000 machine. H C (May 28)
- RE: Compromised Win2000 machine. Kit (May 28)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- RE: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Daniel Hay (May 29)
- Re: Compromised Win2000 machine. Mark Newby (May 29)
- Re: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Patrick Andry (May 29)
- Re: Compromised Win2000 machine. H C (May 30)
- Re: Compromised Win2000 machine. - Follow UP Daniel Hay (May 30)
- RE: Compromised Win2000 machine. Don Weber (May 29)