Re: FTP and Win2K changed security policy

[Johan Augustsson <johan.augustsson () adm gu se>]

On Mon, Nov 18, 2002 at 12:37:05PM +0100, Bojan Zdrnja wrote:
> I wonder if anyone saw rootkit with this or this was a manual work.
> FTP server was empty, only one 1MB file named '1' was in it (probably to
> test server's speed).
>
> Also, I'm not sure how they got in. Machine is Windows 2000 Professional and
> had SP2 applied on it, but I'm afraid user had weak local administrator
> password (I don't take care of those machines, I was just there to check his
> problems).


I've seen variants of those .bat-files on a huge number of compromised
NT/2000 systems. As far as I know it's just a bunch of scripts that the
intruder runs manually after downloading them from either his own box
(stupid) or another compromised box.

So, how did he get in? I would bet my money on bad or non-existing
passwords. Badly configured MS-SQL-servers are another often used way in
but maybe not in this case. There is a very powerfull tool written by a
Chinese that scans a class B network and collect null passwords or
passwords that are the same as the account's name in less then 40 minutes.
Since this is a win32 executable it's often found on the compromised
systems. It can also be used with a dictionary.

Another tool that's often found on those systems is Netcat. It may be
used to start a commandshell session to a specific IP-address or to bind
cmd.exe to a port that the intruder can us as a backdoor.

The tricky part is to find all the binaries. It was a long time since
the intruder start to rename the Serv-U FTP binaries to something more
legal. Fport or Active Ports can help you out there. It's like lsof -i for
Windows.

If you really wants to know how many of your boxes that are compromised
like this I recomend using Snort (www.snort.org) and the following
rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"USER"; content: "USER"; flags: A+; dsize: <30; depth: 4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PASS"; content: "PASS"; flags: A+; dsize: <30; depth: 4;)

You might considering a couple of pass rules above those two rules so
you don't get all the legal ftp-logins to port 21 and other legal ports.

Bear in mind that the rules above might give you a minor shock. If you
have a class B net and don't filter TCP 135, 139 and 445 you'll probably
have a couple of compromised boxes every day.


Happy hunting

Johan Augustsson
Göteborg University

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com