allen at rescomp.berkeley.edu
Thu Mar 28 21:55:04 GMT 2002
Apologies if I break the thread...
Here's my analysis of the compromised computers. First of all, this is not
the Backdoor.darkIRC detected by antivirus programs. This backdoor is not
detected by the latest NAV patterns.
I'm guessing that these computer were compromised through the
administrative share with no administrator password on Windows 2000.
*A rouge lsass.exe (with a red u and a smaller green d icon) was installed as a
service using firedaemon.exe (or firedaem.exe). You can check for it under
Administrative Tools -> Services. The one on our hosts was called ms32dll
*Several .tmp files and a rudl32.exe are dropped in the Startup folder but
the .tmp files don't seem to run.
*Serve-U FTP, IRC and telnet servers are run on various ports. The IRC
configurations(ir.con) seem to indicate that they are set up as XDCC
Judging from this, one should be able to remove the service with a
"firedaemon -u ms32dll" This seems to close all the opened ports but I am
unsure as to what other damage may have been done.
On all the hosts, nmap found the following ports open:
Port State Service
132/tcp open cisco-sys <--tlntsvr.exe (telnet)
135/tcp open loc-srv <--svchost.exe
139/tcp open netbios-ssn <--NetBIOS sharing (normal)
445/tcp open microsoft-ds <-Windows sharing (kind of normal)
1025/tcp open listen <--mstask.exe (normal)
8888/tcp open sun-answerbook <-- sxe5.tmp (backdoor client)
Running Vision 1.0 (www.foundstone.com) on the compromised computers
yielded these additional ports and programs bound to them:
1029/tcp <-- sxe5.tmp
1031/tcp <-- sxe5.tmp
43958/tcp <--c:\winnt\system32\vmn32\lsass.exe <-not to be confused with
the other lsass.exe from MS
3112/tcp <-- c:\winnt\system32\vmn32\lsass.exe
According to vmn\ServUStartUpLog.txt (Not confirmed)
3112 <-- ftp
Hidden? (Never seen by me)
99/tcp <-- Backdoor command shell?
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Other files mentioned at
Office of Residential Computing
More information about the unisog