Coordinated Scan

Allen Chang allen at rescomp.berkeley.edu
Thu Mar 28 21:55:04 GMT 2002


Apologies if I break the thread...

Here's my analysis of the compromised computers. First of all, this is not
the Backdoor.darkIRC detected by antivirus programs. This backdoor is not
detected by the latest NAV patterns.

I'm guessing that these computer were compromised through the
administrative share with no administrator password on Windows 2000.

*A rouge lsass.exe (with a red u and a smaller green d icon) was installed as a
service using firedaemon.exe (or firedaem.exe). You can check for it under
Administrative Tools -> Services. The one on our hosts was called ms32dll
*Several .tmp files and a rudl32.exe are dropped in the Startup folder but
the .tmp  files don't seem to run.
*Serve-U FTP, IRC and telnet servers are run on various ports. The IRC
configurations(ir.con) seem to indicate that they are set up as XDCC
file-serving bots.

Judging from this, one should be able to remove the service with a
"firedaemon -u ms32dll" This seems to close all the opened ports but I am
unsure as to what other damage may have been done.

On all the hosts, nmap found the following ports open:
Port       State       Service
132/tcp    open        cisco-sys <--tlntsvr.exe (telnet)
135/tcp    open        loc-srv <--svchost.exe
139/tcp    open        netbios-ssn <--NetBIOS sharing (normal)
445/tcp    open        microsoft-ds <-Windows sharing (kind of normal)
1025/tcp   open        listen <--mstask.exe (normal)
8888/tcp   open        sun-answerbook <-- sxe5.tmp (backdoor client)

Running Vision 1.0 (www.foundstone.com) on the compromised computers
yielded these additional ports and programs bound to them:
1029/tcp  <-- sxe5.tmp
1031/tcp <-- sxe5.tmp
43958/tcp <--c:\winnt\system32\vmn32\lsass.exe <-not to be confused with
the other lsass.exe from MS
3112/tcp <-- c:\winnt\system32\vmn32\lsass.exe

According to vmn\ServUStartUpLog.txt (Not confirmed)
3112 <-- ftp

Hidden? (Never seen by me)
99/tcp <-- Backdoor command shell?

(**Files Found**)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
rudl32.exe
sxe3.tmp
sxe4.tmp
sxe5.tmp

Other files mentioned at
http://www.theorygroup.com/Archive/Unisog/2002/msg00334.html

@llen
Network Security
Office of Residential Computing
UC Berkeley



More information about the unisog mailing list