MSU: COE hacker/cracker attack

Russ Ward russ at engr.msstate.edu
Fri Sep 20 20:30:56 GMT 2002


I work for Mississippi State University: College of Engineering.  We have been having a lot of incidents of hacking/cracking of our Windows clients, lately, and was looking to see if any of you are having the same attacks.  

  #########
 # INFO: #
#########

Step 1.  He installs an application, different on each computer, that allows him to login through port 113, and adds registry entries to start it at boot.  It appears that he does this through a Windows vulnerability.  The file names he chooses are ones that are not obvious:

	"system.exe"
	"taskmngr.exe"
	"ipconfig32.exe"
	"rundll32.exe"
--------------------------------------------
Step 2.  He then installs an application that he wants that computer to serve, usually a ftp server (serv-u is his usual).  The ftp server has been setup to listen on port 2222 and 43958, at least on the last few machines that I have looked at.  The directories that he uses have been:

	"%windir%\system32": Used to store app from step 1.
	"%windir%\system32\drivers\etc": Used to store app from step 2.
	"%windir%\system\sys": Used to store data.
	"%windir%\system32\sys": Used to store data.
	"%windir%\java\classes": Used to store data.
--------------------------------------------
Step 3.  He uploads files to the ftp server and publishes the login info.
--------------------------------------------

Also, on the last computer hit, I noticed port 1025 was open.  I was able to telnet into that port, but no info back.

Any info that you can provide would be greatly appreciated.


  #####################################################
 #  Russ Ward:                                       ##
##################################################### #
#  Mississippi State University: College of Eng.    # #
#  email: russ at engr.msstate.edu                     # #
#  phone: 662.325.0151                              # #
#  icq: 7703575                                     # #
#  aim, yahoo, jabber, slashdot: russward662        ##
#####################################################



More information about the unisog mailing list