Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Logon.dll? Possible root-kit?

From: "Rob Shein" <shoten () starpower net>
Date: Fri, 4 Apr 2003 12:02:03 -0500
Ok, just a quick note to everyone who's wondering about logon.dll.  I
noticed it was impossibly small (687 bytes, to be precise) and didn't have
executable headers.  So, I opened it in a text editor...this is what it
says:

<begin quote>
                     \\ //
                     (o o)
###+----oOO--(_)--OOo----+###

|•••|  -=[ HacK€d BY THALLIA ]=- |•••|
|•••|  -=[ Il est actuellement %TIME ]=- |•••|
|•••|  -=[ Vous êtes le %unow éme connecté ]=- |•••|
|•••|  -=[ sur un total de %MaxUsers users ]=- |•••|
|•••|  -=[ Nombre d'users qui se sont deja connectés %loggedInAll users ]=-
|•••|
|•••|  -=[ Serveur on ligne depuis %Serverdays Days, %ServerHours Hours,
%ServerMins Minutes, %ServerSecs Seconds ]=- |•••|         
|•••|  -=[ La bande passante utilisée actuellement est %ServerKBps ]=- |•••|
|•••|  -=[ Nonbre de Ko Up %ServerKbUp ]=- |•••|
|•••|  -=[ Nombre de Ko Dwl %ServerKbDown ]=- |•••|

<end quote>

I saw that go2.bat makes a directory in
c:\winnt\system32\spool\drivers\color\tmp\a and starts up serv-u FTP (5
times, apparently).  "Log.txt" is used to report various statistics for
"Guyver," which I am not familiar with but appears to be some kind of rogue
FTP server system.  Explorer.exe appears to be the ftp daemon itself.

"Save.bat" does something very interesting...it removes all default
administrative shares, which tends to make me think that this is how the
machine was hacked in the first place; the hackers are just making sure
nobody comes in behind them the same way.

"1.txt" is an ftp script that pulls down log.txt, su.exe (which is also a
serv-u daemon executable...interesting), and ServUDaemon.ini.  It connects
to an anonymous account on 65.26.36.203 (a RoadRunner cablemodem user IP) to
retrieve these files.

DWRCS is DameWare's remote control system, much like WinVNC.  

Are they sure this system was hacked by a former employee?  They should be
very, very careful before they go down that path, unless they have some
significant information that points to him.  It looks like they had either a
vulnerable IIS install (based on logs contained in the RAR file) or default
shares that got utilized, from what I've looked at.  This is more likely a
random hit than anything else.

-----Original Message-----
From: Nick Jacobsen [mailto:nick () ethicsdesign com] 
Sent: Thursday, April 03, 2003 3:43 PM
To: incidents () securityfocus com
Subject: Re: Logon.dll? Possible root-kit?


Ok here is link to a rar of the suspected files:
    http://www.ethicsdesign.com/HackLog.rar

As some of you said, it looks like there is not a rootkit installed, and it
looks like this was an attempt at making this box join a botnet.  A kindly
IRCOp has offered to both decompile the bot dll, and to remove the offending
channel (#thallia), so that is taken care of.  Anyway, I did manage to
convince my clients that this was serious enough to warant a wipe of the
data on the machine.  I am waiting to see what your analysis of these files
are.

Thank You,
Nick Jacobsen
nick () ethicsdesign com


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents




----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
Previous By Date Next
Previous By Thread Next

Current thread: