RE: FTP and Win2K changed security policy

["Joswiak, Johnny G." <jgjoswia () utmb edu>]

Your case fits a scenario I just finished investigating. See
http://www.russonline.net/tonikgin/EduHacking.html and you'll probably find
an exact match of what happened except for maybe firedaemon since it really
isn't needed with Dameware there. Look close at the "dll" files in those
directories with notepad or a hex editor and you'll find the irc configs,
etc. There will be other files but I'm sure you'll find them. The box will
be better off being reloaded, no local admin accts, etc.
Johnny

-----Original Message-----
From: Bojan Zdrnja [mailto:Bojan.Zdrnja () FER hr] 
Sent: Monday, November 18, 2002 5:37 AM
To: incidents () securityfocus com
Subject: FTP and Win2K changed security policy


I'm sending this 2nd time because I didn't receive any message neither from
moderator or on ML.

Hi everyone.

Today one of employees on my university asked me to check his machine as he
couldn't use Netmeeting anymore for remote desktop sharing . Some people
here use Netmeeting to easy control their machines from home (I know I
should have banned that before on lower level, but ...). After I couldn't
find his machine on our domain (and he was added) I went to his computer and
saw that he hasn't got Sophos started at all. Every time I tried to start
Sophos it would just hang. Things became interesting at that point (for me,
not him :).

After examining the machine I saw one suspicious process running, under the
name service.exe. This process was listening on port 62345 and it was
actually a Serv-U FTP server in leech mode (just like one we discussed on
this ML few days before). FTP server was installed in directory
c:\winnt\system\tools. That directory also contained one very interesting
subdirectory named win. In this directory I found a program named win.exe
and few .bat files (named secure.bat and secure1.bat), as well as cygwin
dll's and so on. It appears that this program is used to set whatever
security policy he wanted on the machine, which you can see in secure.bat
file. Obviously, his policy didn't work quite well as he also removed
possibility for user to log-on over Netmeeting (that's why user called me at
the first point).

I wonder if anyone saw rootkit with this or this was a manual work. FTP
server was empty, only one 1MB file named '1' was in it (probably to test
server's speed).

Also, I'm not sure how they got in. Machine is Windows 2000 Professional and
had SP2 applied on it, but I'm afraid user had weak local administrator
password (I don't take care of those machines, I was just there to check his
problems).

If needed, I have those directories in a zip archive so I can send it to
someone if you need it.

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com