Unintended update

Andy Efting aefting at emory.edu
Tue Aug 5 10:53:24 GMT 2003


Here is more detail that I promised last night.  This was written by our NT team:



After working with HP Services, Microsoft, and several departments on campus - 
we have found the following regarding the RPC exploitation. 
This information is provided as-is, etc, etc...  
This may not be exact across the board, but is what we have found.


There are several signs that will indicate the presence of the RPC 
exploit on a system that has not done a manual installation of the RPC 
exploit patch (KB823980). 

All machines we have found to be exploited are running Windows 2000 & 2003 Server.

In the root directory of the hacked server you will find the actual 
extracted files from the Microsoft patch (any MS patch will not leave 
the files sitting in the root).  These files include: 
  empty.cat 
  ole32.dll 
  rpcrt4.dll 
  rpcss.dll 
  spmsg.dll 
  spuninst.exe 
  update.exe (self-extracting archive) 

There will also be an <drive>:\update directory from which the installer 
is called and it will contain the following files: 
  eula.txt 
  kb823980.cat 
  spcustom.dll 
  update.exe 
  update.inf 
  update.ver 

There is also some further proof that the server has been hacked.  In 
the SYSTEM event log the following entry was found: 

  Event Type:    Information 
  Event Source:    NtServicePack 
  Event Category:    None 
  Event ID:    4377 
  Date:        08/03/2003 
  Time:        11:18:02 AM 
  User:        NT AUTHORITY\SYSTEM 
  Computer:    SERVERNAME 
  Description: 
  Windows 2000 Hotfix KB823980 was installed. 

This entry in the log is usually followed by a server restart which will 
complete the hack. 

Once the server has restarted it will no longer appear to be vulnerable 
to the RPC exploit on the common ports (135,139,445, and 593) and this 
was confirmed by scanning with several of the DCOM utilities available 
but it will now have a new port that is available for use by the hacker 
(port 33571).  This port will only be found by issuing a NETSTAT -A 
command from the command prompt and it will reveal that the server is 
"listening" on this port.  This port is only "listening" on the servers 
that were hacked.  

The exploited server will also have two files HIDDEN on the 
<drive>:\WINNT\system32 directory.  The files are CSRSRV.EXE and 
CSRSU.EXE.  These files ARE NOT VISIBLE from the console of the server. 
(The CSRSRV.DLL is a valid file and should not be removed from your system)

These two files can only be seen when connected to the server via an admin 
share across the network (C$, D$, WINNT$, etc.).  These files are not 
detected by any antivirus programs since they contain valid program code.   
NOTE: If the workstation you are using has also been hacked you will be unable to see these files on any 
remotely connected machines as well as the local machine. 

The hacker may also modify at least one registry entry in the 
HKLM\SYSTEM\ControlSet001\CSR*. 

The CSRSRV.EXE (Path to Executable: C:\WINNT\system32\csrsu.exe) and 
CSRSU.EXE (Path to Executable: C:\WINNT\system32\csrsrv -k csrspx) files 
are listed in the Services MMC as Clipboard and CSRS Windows NT services 
respectively.  These services will fail to start once the files have 
been renamed from a remote computer.  NOTE: If the workstation you are 
using has also been hacked you will be unable to see these files on any 
remotely connected machines as well as the local machine. 

The removal process: 
These files (CSRSRV.EXE and CSRSU.EXE) cannot be deleted remotely but 
they can be renamed.  Once they have been renamed the services can be 
removed using the delsrv.exe resource kit tool 
(http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/delsrv-o.asp)
and executing the following commands: 

  C:\TOOLS>delsrv csrspx 
  C:\TOOLS>delsrv csrswin1 

The registry keys should be deleted and the server rebooted. 

We have created and attached a self extracting patch that will remove the services 
and registry entries from your local machine.  This was packed using WinRAR, and we 
cannot guarantee successful execution on every system.  The patch should be applied AFTER 
you rename the two hidden files in the system32 directory and have restarted the machine.  
The patch should be run locally from the affected machine.


______________________
Andrew P. Efting
Security Analyst
Emory University
E-Mail: aefting at emory.edu
Phone: 404-712-2213
Fax: 404-727-0817


More information about the unisog mailing list