[Intrusions] Has anyone else seen this ?

Mike Cojocea msc39 at georgetown.edu
Mon Aug 16 17:38:28 GMT 2004 

Gabriel,

Yes, we have seen this type of compromised hosts.
It looks like a HackDefender Toolkit or some variations.

A Telnet is running on port 81, and it returns a banner that says:
ÿûÿýÿýÿýÿûMicrosoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99206.1

Rogue FTP Servers were found listening on ports: 6565, 55422, and I 
suspect that a "remote control" application was listening on port 33333.

The compromised machines were accessed from these IPs:
81.56.231.125
82.224.213.24

Were these machines behind of a firewall?

My guess is that the attack spreads through the internal network via 
weak and shared passwords. Once a  machine is compromised the disease 
spreads pretty fast. Keep looking for more compromised machines!

___________________________
Mike Cojocea, CISSP, GCIA

Network Security Analyst
Georgetown University
University Information Services

msc39 at georgetown.edu


Gabriel Somlo wrote:

> We've had some Win2k/XP boxes broken into recently. The exact details
> are included below. I'm wondering if anyone else has seen something
> similar to this (i.e., identical or similar set of "tools" installed
> on the same set of ports -- 81, 1337, 3333, 3083). 
> 
> This also seems to just be a "root kit", i.e., what happens *after*
> the break-in. I'm still wondering how they got in to begin with,
> since the boxes were up to date on patches... (and if they weren't,
> I'd really be interested in figuring out which patches we missed :) )
> 
> 
> Anyway, thanks for any insight into the source of this...
> 
> Here's the details:
> 
> It appears that the first thing installed is:
> 
> %systemroot%\system32\wbem\svchost.exe  as a service "Ressource Checker"
> => ServU FTP Daemon v3.0 (port 1337)
> 
> After that several applications are installed:
> 
> %SYSTEMROOT%\system32\lsasv.exe as service "DHCP Publishing Service" =>
> Srvany util from NT4.0 reskit.
> 
> This starts a batch file
> %SYSTEMROOT%\system32\wbem\ins\system\drivers\startsvc.bat that runs:
> 
> %SYSTEMROOT%\system32\wbem\ins\system\drivers\ndisip.exe => Eggdrop
> IRCbot??? (port 3333, + many others ???)
> 
> %SYSTEMROOT%\system32\wbem\ins\system\system.exe => ioFTPD ftp server
> (port 81)
> 
> %SYSTEMROOT%\system\svchost.exe as service "Remote Administrator
> Service" => Remote Admin "radmin" (port 3083 - not verified)
> 
> 
> To detect intrusion -
> 
> The ports to look for being open:
> 	81, 1337, 3333, 3083
> 
> The files to look for are:
> 
> %systemroot%\system32\wbem\ins directory (everything under it)
> %systemroot%\system32\wbem\svchost.exe
> %systemroot%\system\svchost.exe
> 
> The intruders also installed a lot of utilities like:
> 
> %systemroot%\system32\lsasv.exe (Srvany from NT4.0 reskit)
> %systemroot%\system32\nc.exe (some hacker remote execution utility)
> %systemroot%\system32\psinfo.exe, pskill.exe, pslist.exe (pstools from
> Sysinternals)
> %systemroot%\system32\fport.exe (process to TCP port mapper from
> Foundstone software)
> 
> 
> Thanks,
> Gabriel

More information about the Intrusions mailing list