RE: Compromised Win2000 machine.

["Kit" <kit () smallfoxx com>]

If I remember correctly, Jini uses 4160.  From what I remember, Jini is
basically distributed computing using Java.  Don't know why exactly it would
be prompting for a login, but I guess it could be an app of somesort.  They
could be using this as a DDoS type of system I guess.

Also, why is it using port 99 and 113?  Those seem like odd ports for a
Windows machine to have.

Now, if you're having problems getting in because you don't know the admin
password, with physical access to the box that could obviously be worked
around, but remotely would be a little less easy.

As for what root-kit its a part of, sorry, I'm not that familiar with it.

HTH,
-K

-----Original Message-----
From: Daniel Hay [mailto:dhay () drexel edu]
Sent: Tuesday, May 28, 2002 3:15 PM
To: incidents () securityfocus com
Subject: Compromised Win2000 machine.


Hey,
          Today i found a windows machine located in our dorms that had
been compromised, but unlike most of the compromised machines i see come
out of the dorms the Admin password was actually set and it was set to
something other than NULL or Administrator.  The attacker set up 2
Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact,
they also installed a warez eggdrop bot that connects to the newnet IRC
Network and servs via the #warez-excell channel. The thing that puzzles
me and i've not been able to get any information on it through web
searches and mailing lists so far, on port 4160 there seems to be a
login prompt. When you nc to the port you are presented with the following

[dhay@ob-1 dhay]$ nc compromise.host.edu 4160
Login: administrator

Invalid password!!!
login:


An nc to the auth port (113) yields


 [dhay@ob-1 dhay]$ nc 144.118.217.84 113

934 , 6667 : USERID : UNIX : bitch



I'm hoping someone notices the shift from Uppercase "L" in login to
lower case after you fail to login and recognizes it as a known
backdoor? or  something similar... does anyone know of any canned
rootkits ( for want of a better term ) that acts in the way i've
described above? I'll paste the output of nmap -sS -sU -p 1-65535 below


Port       State       Service
99/tcp     open        metagram
113/tcp    open        auth
135/tcp    open        loc-srv
135/udp    open        loc-srv
137/udp    open        netbios-ns
138/udp    open        netbios-dgm
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
445/udp    open        microsoft-ds
500/udp    open        isakmp
1025/tcp   open        listen
1026/udp   open        unknown
4160/tcp   open        unknown
23432/tcp  open        unknown
65531/tcp  open        unknown



Cheers
Danny
Drexel University
Network Security Engineer







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com