[unisog] Infected windows boxes with IRC controlled trojans on them

Christopher E. Cramer chris.cramer at duke.edu
Thu Apr 11 13:01:52 GMT 2002


In our post-mortem of one box we found the scanner called Fluxay 
(http://www.netxeyes.com/down.html)

the scanner enumerates accounts and then dictionary attacks those with 
administrator privileges.  blocking ports 135-139 and 445 should prevent 
both the enumeration and the remote access.  

once the password for an administrator account is known, as you said, it's 
trivial to install an IRC bot.

-c

Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  email: chris.cramer at duke.edu


On Wed, 10 Apr 2002, Allen Chang wrote:

> I'm not too savvy with IRC but it probably isn't too hard to jump in the
> IRC channel that is used for the gtbot control and watch the botmaster
> control and possibly trace the IP even.
> 
> I'm pretty sure that one of the ways that the computers were compromised
> was by using PSExec
> <http://www.sysinternals.com/ntw2k/freeware/psexec.shtml> On computers
> that don't have an Administrator password set, it's almost trivial to have
> the computer download and install gtbot. The computer logs onto irc, start
> the MS telnet service and you have complete control. From what I've seen
> on this list, sua.bat varies. The ones we have found are very sparse and
> only do the bare minimum.
> 
> Anyone have other ideas?
> 
> @llen
> Network Security
> Residential Computing
> UC Berkeley
> 
> On Wed, 10 Apr 2002, Huba Leidenfrost wrote:
> 
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > My apologies BTW for the funky attachment from my previous message.
> > I should have referred to it or sent it to anyone that wanted a copy.
> >  Believe me I wasn't trying to massage everyone's MTAs in order to
> > find out what type of anti-virus gateway protection is being used.
> >
> > I'm of the opinion that I will have to put up a honeypot pronto and
> > set the administrator password to abc123 and see who comes knocking.
> > Perhaps I can solve this puzzle.
> >
> > - -Huba
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBPLTEp0pG2S0cMeJwEQJ/swCg6O2XrvGkUOVBiWguV6Cgm5Uky58AoPjB
> > i3Zy1aTt6pIxQM8nerWNvYT/
> > =PdZx
> > -----END PGP SIGNATURE-----
> >
> >
> 



More information about the unisog mailing list