[Intrusions] Has anyone else seen this ?

Gabriel Somlo somlo at acns.colostate.edu
Mon Aug 16 16:50:44 GMT 2004 

We've had some Win2k/XP boxes broken into recently. The exact details
are included below. I'm wondering if anyone else has seen something
similar to this (i.e., identical or similar set of "tools" installed
on the same set of ports -- 81, 1337, 3333, 3083). 

This also seems to just be a "root kit", i.e., what happens *after*
the break-in. I'm still wondering how they got in to begin with,
since the boxes were up to date on patches... (and if they weren't,
I'd really be interested in figuring out which patches we missed :) )


Anyway, thanks for any insight into the source of this...

Here's the details:

It appears that the first thing installed is:

%systemroot%\system32\wbem\svchost.exe  as a service "Ressource Checker"
=> ServU FTP Daemon v3.0 (port 1337)

After that several applications are installed:

%SYSTEMROOT%\system32\lsasv.exe as service "DHCP Publishing Service" =>
Srvany util from NT4.0 reskit.

This starts a batch file
%SYSTEMROOT%\system32\wbem\ins\system\drivers\startsvc.bat that runs:

%SYSTEMROOT%\system32\wbem\ins\system\drivers\ndisip.exe => Eggdrop
IRCbot??? (port 3333, + many others ???)

%SYSTEMROOT%\system32\wbem\ins\system\system.exe => ioFTPD ftp server
(port 81)

%SYSTEMROOT%\system\svchost.exe as service "Remote Administrator
Service" => Remote Admin "radmin" (port 3083 - not verified)


To detect intrusion -

The ports to look for being open:
	81, 1337, 3333, 3083

The files to look for are:

%systemroot%\system32\wbem\ins directory (everything under it)
%systemroot%\system32\wbem\svchost.exe
%systemroot%\system\svchost.exe

The intruders also installed a lot of utilities like:

%systemroot%\system32\lsasv.exe (Srvany from NT4.0 reskit)
%systemroot%\system32\nc.exe (some hacker remote execution utility)
%systemroot%\system32\psinfo.exe, pskill.exe, pslist.exe (pstools from
Sysinternals)
%systemroot%\system32\fport.exe (process to TCP port mapper from
Foundstone software)


Thanks,
Gabriel
-- 
-----------------------------------------------------------------------
Gabriel L. Somlo               Academic Computing & Networking Services
Colorado State University      Tel: (970)297-3707   Cell: (970)567-1017
601 Howes St., Room 619C       Fax: (970)491-1958 
Fort Collins, CO 80523-2028            e-mail: somlo at acns.colostate.edu
-----------------------------------------------------------------------

More information about the Intrusions mailing list