Re: compromised machines

[Scott Weeks <surfer () mauigateway com>]

Are you sure they didn't crack the passwords?  Do you have 'strong'
passwords on the machines?

scott



On Thu, 26 Aug 2004, Varun Pitale wrote:

: last week, I had around 78 machines compromised through IRC bots and
: all of them running a ftp server on port 6544 with the following
: banner:
:
: 220-Serv-U FTP Server v5.0 for WinSock ready...
: 220-.
: 220-.
: 220-           ?????o.,,.o?  HacKed By EvilzCrew  ?o.,,.o?????
: 220-.
: 220-.
: 220-
: 220-                       ---=   SERVER ---
: 220----->  Le Server est Up depuis 0 Jour: 14 Heure: 52 Min
: 220----->  Nous somme le Saturday 14 August, 2004 il est 14:27:36 Sur le Server
: 220-
: 220-                      ---=   TRANSFERTS ---
: 220-----> Vitesse : moyenne :   0.261 kb/sec
: 220-----> Download total :              20 Kb
: 220-----> Upload total :                13977 Kb
: 220-
: 220-                      ---=   UTILISATEURS ---
: 220----->  Votre IP : x.x.x.x
: 220----->  Vous etes 1 connectes
: 220----->  TotaL Users Logged In : 6 Users
: 220-
: 220-                     ---=   RESPECT THIS STUFF  ---
:
: We cleaned up all of these machines and rebuilt each of them from
: scratch, with all the latest patches. The IDS/IPS at the edge of our
: network, does not seem to be catching the bots which are causing
: these.
: After one week, I have 50 machines which are compromised by the same
: bot, and some of them are the same as the previous list of machines.
: Now  a host-based firewall is a very tough option for us, since we are
: a university with around 30,000 computers and under different
: departments. Does anyone know what bots are causing these and any IDS
: signatures for these. We are using a couple of IDS such as snort and
: Dragon and Intrushield, Any help for this is appreciated.
:  I did have a look at one of these
: machines and from what I see, there are a couple of files which seem
: to be causing this.
: there is a csmss.exe file which is listening on the port 6544.. The
: machine is also running a remote server.
: before csmss.exe, a file ServNT.exe seems to have been executed, which
: might have caused a sequence of events.. there is a batch file , which
: using the registry runs a remote admin server at startup. then we got
: a number of files which are used to show the banner, hide the files .
: If I could find out how did they get inside the system, because most
: of the infected machines were running fully patched Windows XP with
: latest Norton Antivirus definitions.?
: All of those machines are running either Windows 2000 professional or
: XP professional.
: 2 machines wer analysed, one of which was completely ptched and had
: all the latest virus definitions from Norton,  another machine was not
: patched and no virus updates were present.. But the state of affairs
: at both the machines was the same..  themessage sent before contains
: the details..
:  on more analysis, I found csmss.exeto be a part of W32.Dedler
: Trojan.. but how it got inside the system is anyone's guess..
:
: None of them was running IIS.
:
:
:
: --
: Regards,
:    Varun
:    (704)-548-8793 --(Home)
:    (704)-241-0092 --(Mobile)
:    mailto: varun.pitale_(at)_gmail_(dot)_com
:
: