compromised machines

[Varun Pitale <varun.pitale () gmail com>]

last week, I had around 78 machines compromised through IRC bots and
all of them running a ftp server on port 6544 with the following
banner:

220-Serv-U FTP Server v5.0 for WinSock ready...
220-.
220-.
220-           ¨¨°º©o.,,.o©  HacKed By EvilzCrew  ©o.,,.o©º°¨¨
220-.
220-.
220-
220-                       ---=   SERVER ---
220----->  Le Server est Up depuis 0 Jour: 14 Heure: 52 Min
220----->  Nous somme le Saturday 14 August, 2004 il est 14:27:36 Sur le Server
220-
220-                      ---=   TRANSFERTS ---
220-----> Vitesse : moyenne :   0.261 kb/sec
220-----> Download total :              20 Kb
220-----> Upload total :                13977 Kb
220-
220-                      ---=   UTILISATEURS ---
220----->  Votre IP : x.x.x.x
220----->  Vous etes 1 connectes
220----->  TotaL Users Logged In : 6 Users
220-
220-                     ---=   RESPECT THIS STUFF  ---

We cleaned up all of these machines and rebuilt each of them from
scratch, with all the latest patches. The IDS/IPS at the edge of our
network, does not seem to be catching the bots which are causing
these.
After one week, I have 50 machines which are compromised by the same
bot, and some of them are the same as the previous list of machines.
Now  a host-based firewall is a very tough option for us, since we are
a university with around 30,000 computers and under different
departments. Does anyone know what bots are causing these and any IDS
signatures for these. We are using a couple of IDS such as snort and
Dragon and Intrushield, Any help for this is appreciated.
 I did have a look at one of these
machines and from what I see, there are a couple of files which seem
to be causing this.
there is a csmss.exe file which is listening on the port 6544.. The
machine is also running a remote server.
before csmss.exe, a file ServNT.exe seems to have been executed, which
might have caused a sequence of events.. there is a batch file , which
using the registry runs a remote admin server at startup. then we got
a number of files which are used to show the banner, hide the files .
If I could find out how did they get inside the system, because most
of the infected machines were running fully patched Windows XP with
latest Norton Antivirus definitions.?
All of those machines are running either Windows 2000 professional or
XP professional.
2 machines wer analysed, one of which was completely ptched and had
all the latest virus definitions from Norton,  another machine was not
patched and no virus updates were present.. But the state of affairs
at both the machines was the same..  themessage sent before contains
the details..
 on more analysis, I found csmss.exeto be a part of W32.Dedler
Trojan.. but how it got inside the system is anyone's guess..

None of them was running IIS.



-- 
Regards, 
   Varun
   (704)-548-8793 --(Home)
   (704)-241-0092 --(Mobile)
   mailto: varun.pitale_(at)_gmail_(dot)_com