[Intrusions] Has anyone else seen this ?
Bill Royds
broyds at rogers.com
Mon Aug 16 19:33:11 GMT 2004
I helped a friend clean up her computer (Windows XP home) with somewhat similar
"rootkit" installed. The difference was that it was hidden under
%systemroot%\system32\dllcache\Win32 subdirectory. Since dllcache is a hidden
systems directory this was harder to find. The Serv-U server was also installed
as a service under name NTTools which allowed it to be activated before any
other servers so that it was able to hide from Taskmanager and other task
viewing applications. It used names svchost.exe, csrss.exe, and lsass.exe as
executable names (although in a different directory from true Windows processes
of the same names) to also make it hard to find. I have a copy of the Win32
directory as a zip file if you want to view it to compare.
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Gabriel Somlo
Sent: Monday, August 16, 2004 12:51 PM
To: intrusions at lists.sans.org
Cc: noc at acns.colostate.edu
Subject: [Intrusions] Has anyone else seen this ?
We've had some Win2k/XP boxes broken into recently. The exact details
are included below. I'm wondering if anyone else has seen something
similar to this (i.e., identical or similar set of "tools" installed
on the same set of ports -- 81, 1337, 3333, 3083).
This also seems to just be a "root kit", i.e., what happens *after*
the break-in. I'm still wondering how they got in to begin with,
since the boxes were up to date on patches... (and if they weren't,
I'd really be interested in figuring out which patches we missed :) )
Anyway, thanks for any insight into the source of this...
Here's the details:
It appears that the first thing installed is:
%systemroot%\system32\wbem\svchost.exe as a service "Ressource Checker"
=> ServU FTP Daemon v3.0 (port 1337)
After that several applications are installed:
%SYSTEMROOT%\system32\lsasv.exe as service "DHCP Publishing Service" =>
Srvany util from NT4.0 reskit.
This starts a batch file
%SYSTEMROOT%\system32\wbem\ins\system\drivers\startsvc.bat that runs:
%SYSTEMROOT%\system32\wbem\ins\system\drivers\ndisip.exe => Eggdrop
IRCbot??? (port 3333, + many others ???)
%SYSTEMROOT%\system32\wbem\ins\system\system.exe => ioFTPD ftp server
(port 81)
%SYSTEMROOT%\system\svchost.exe as service "Remote Administrator
Service" => Remote Admin "radmin" (port 3083 - not verified)
To detect intrusion -
The ports to look for being open:
81, 1337, 3333, 3083
The files to look for are:
%systemroot%\system32\wbem\ins directory (everything under it)
%systemroot%\system32\wbem\svchost.exe
%systemroot%\system\svchost.exe
The intruders also installed a lot of utilities like:
%systemroot%\system32\lsasv.exe (Srvany from NT4.0 reskit)
%systemroot%\system32\nc.exe (some hacker remote execution utility)
%systemroot%\system32\psinfo.exe, pskill.exe, pslist.exe (pstools from
Sysinternals)
%systemroot%\system32\fport.exe (process to TCP port mapper from
Foundstone software)
Thanks,
Gabriel
--
-----------------------------------------------------------------------
Gabriel L. Somlo Academic Computing & Networking Services
Colorado State University Tel: (970)297-3707 Cell: (970)567-1017
601 Howes St., Room 619C Fax: (970)491-1958
Fort Collins, CO 80523-2028 e-mail: somlo at acns.colostate.edu
-----------------------------------------------------------------------
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list