[unisog] MSU: COE hacker/cracker attack

Allen Chang allen at rescomp.berkeley.edu
Fri Sep 20 22:48:57 GMT 2002


We've seen about 4-5 different versions since last year.

This is from 9/3:
https://hal.rescomp.berkeley.edu/~allen/staff/vmn32-removal-0903.txt

These are general guidelines for compromised computers:
http://www/about/training/rcc/02-03/CompromisedComputer/

1025 generally shouldn't be a problem. This is mostly a result of not
having an Administrator password

On Fri, 20 Sep 2002, Russ Ward wrote:

> I work for Mississippi State University: College of Engineering.  We
> have been having a lot of incidents of hacking/cracking of our Windows
> clients, lately, and was looking to see if any of you are having the
> same attacks.
>
>   #########
>  # INFO: #
> #########
>
> Step 1.  He installs an application, different on each computer, that
> allows him to login through port 113, and adds registry entries to start
> it at boot.  It appears that he does this through a Windows
> vulnerability.  The file names he chooses are ones that are not obvious:
>
> 	"system.exe"
> 	"taskmngr.exe"
> 	"ipconfig32.exe"
> 	"rundll32.exe" -------------------------------------------- Step
> 2.  He then installs an application that he wants that computer to
> serve, usually a ftp server (serv-u is his usual).  The ftp server has
> been setup to listen on port 2222 and 43958, at least on the last few
> machines that I have looked at.  The directories that he uses have been:
>
> 	"%windir%\system32": Used to store app from step 1.
> 	"%windir%\system32\drivers\etc": Used to store app from step 2.
> 	"%windir%\system\sys": Used to store data.
> 	"%windir%\system32\sys": Used to store data.
> 	"%windir%\java\classes": Used to store data.
> --------------------------------------------
> Step 3.  He uploads files to the ftp server and publishes the login info.
> --------------------------------------------
>
> Also, on the last computer hit, I noticed port 1025 was open.  I was
> able to telnet into that port, but no info back.
>
> Any info that you can provide would be greatly appreciated.
>
>
>   #####################################################
>  #  Russ Ward:                                       ##
> ##################################################### #
> #  Mississippi State University: College of Eng.    # #
> #  email: russ at engr.msstate.edu                     # #
> #  phone: 662.325.0151                              # #
> #  icq: 7703575                                     # #
> #  aim, yahoo, jabber, slashdot: russward662        ##
> #####################################################
>



More information about the unisog mailing list