Re: Trojan of somesort - Update

[Pho Man <ph0k1n () yahoo com>]

Hi all,

For what's it's worth, I too have found that ports are
largely random, but every once in a while, I catch a
machine that has a well-known bad port open.  I found
31337 running on a certain machine once just a couple
months ago.

However, with ServU-FTP stuff, it's almost always
random, so as Paul Schmehl suggested, we monitor
traffic using NTop on a Linux box, and that catches
machines with suspicious activity fairly well.

I still like to scan the network using X-scan (since
it's fairly fast) just to be sure.  But that's just
me.  :)

Anyhow, I too have found machines that were hacked by
warez hackers, but had yet to store any files. 
Usually  it seems that the machine takes almost a week
or two for files to get uploaded to it.  If we catch
machines fairly early, then they have the tools (ServU
or IOftpd) running, but are otherwise empty.

Must be quite a successful franchise, or otherwise
hackers wouldn't hack so many machines at once.  :p

--The Pho Man

--- Paul Schmehl <pauls () utdallas edu> wrote:
> --On Thursday, May 27, 2004 02:58:56 PM +0000 Bob
> the Builder 
> <builder173 () hotmail com> wrote:
> > Other than the ServU files and some sort of crude
> looking port scanner so
> > far I haven't been able to find anything else.
>
> This is not surprising.  It's been my experience
> that boxes that get 
> "tagged" (i.e. set up as ftp sites for warez) get
> hacked by automated 
> scripts and later get filled up with warez.  It
> appears that the skiddies 
> are running automated hacking scripts that "phone
> home" when a box is 
> setup, but they apparently have so many of them that
> they don't always get 
> to new ones right away.  So there's a window when
> the box is hacked but not 
> yet being used as a repository.
>
> > Does anyone know of a
> > program that can be used to scan for trojans
> offline, as I now of the
> > machines disk loaded into my forensics system. I
> want to find out what
> > other ports I need to be suspicous of so that I
> can scan the rest of the
> > network for them to see if anything else looks
> compromised.
>
> Good luck scanning for ports.  The ports they use
> are completely arbitrary 
> and infinitely changeable.  You'd have better luck
> looking at traffic 
> patterns and investigating boxes that suddenly show
> unusually high levels 
> of traffic.  The only port that I think is really
> worth scanning is irc 
> (6667/TCP) because that can indicate a worm
> infection.  I've even seen 
> tagged boxes using port 21 as a remote shell.  Your
> port scanner is simply 
> going to tell you someone has ftp enabled.
>
> I have port scanned *known* tagged boxes and found
> nothing to raise 
> suspicions.  These guys aren't stupid.  They're
> going to try and make the 
> box look as normal as possible.  Some of them even
> moderate downloads and 
> uploads to try and stay under the radar and not
> raise suspicion due to 
> unusual traffic patterns.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/



        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/