[unisog] RPCwhore

Schrack, Robert Rob_Schrack at URMC.Rochester.edu
Mon Aug 18 19:36:27 GMT 2003


 Nice to see that Symantec has finally updated the info on this thing... I'm
still waiting for a response from Trend Micro on both versions of padmin I
sent them a few weeks ago.

Yes, there are two versions of the padmin backdoor.  The 1.0D version that
listens on 6351/tcp and a 0.9A version that listens on 6551/tcp.  The login
passwords are not interchangeable.  In our case the 1.0D version seemed to
be missing some of the files used by the web service.  Other than file
locations, everything else looked alike.

Rob



-----Original Message-----
From: Jon Karl Miyake [mailto:miyake at darkwing.uoregon.edu] 
Sent: Monday, August 18, 2003 3:05 PM
To: Steve Bernard
Cc: UniSOG; UO Security Group
Subject: Re: [unisog] RPCwhore


I'm going to give you all the information in brief that I have on hand
regarding the compromised machines that we have ran across due to the RPC
exploit.  It is getting difficult to mentally separate out the different
dropkits that we have seen on infected machines over the last two-three
weeks.  If you have seen any differences on your network or want more
information on any thing that has been glossed over please feel free to ship
me a note.

On the machines announcing "rpcwhore" on campus we have noticed the
following ports open.

        113/tcp,6351/tcp,48522/tcp

Port 48522/tcp will often have a ftp banner.

        220 Welcome To The Consultant's Ftp.

or

	220-welcome to the consultant.

Compromised machine announcing "rpcwhore" may not have a ftp daemon running.
I've come across a few machines that only had 6351/tcp open.

There was a brief posting to the EDUCAUSE security listserv concerning this
type of colonization and some of the ports to look for on a compromised
machine.

http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0307&L=security&T=0&F=&S=&
P=9558

Some of the machine we have come across have files in one or all of the
following directories.  Please note that these locations may or may not
normally exist on a system or have files in them.

        C:\(Windows|WINNT)\SYSTEM32\qossrv
        C:\(Windows|WINNT)\SYSTEM32\WINS
        C:\(Windows|WINNT)\SYSTEM32\DHCP
        C:\(Windows|WINNT)\SYSTEM32\RESTORE

Part of the problem that we have come across is that machines may been
compromised by more than on group/individual.  As such you may find several
different types of dropkits on a single machine when you go to clean it up.

You may find one or more of following programs actively ...

   FireDaemon.exe, aysshell.exe, winmgnt.exe, csrss.exe

It is important to note that crss.exe is commonly found on Win2k and WinXP
system.  The fact that this is running does not necessarily mean you have a
compromised machine.  If you see two instances of this running it is likely
that the machine is compromised (please correct me if I'm wrong).

Symantec has write-up that is similiar to what we have seen.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hale.html

As with all things your mileage may vary.  But hopefully this information
gives you a starting point.

Jon Miyake

User Services and
Network Applications
voice #: (541) 346-1635
Computing Center Room 225
University of Oregon

On Mon, 18 Aug 2003, Steve Bernard wrote:

> We are finding a lot of Microsoft boxes which are trying to join the 
> IRC channel #rpcwhore, but that show no other outward signs of 
> compromise or vulnerability. So far, all connection attempts have been 
> to either 219.123.237.187 or 66.98.158.31. I can't find any mention of 
> "rpcwhore" via Google, Yahoo, etc.. Given that these boxes aren't 
> being used for warez or the like I am assuming that they are DDoS 
> agents. I haven't gotten a box to analyze yet. Has anyone else seen 
> this before?
>
>
> Regards,
>
> Steve Bernard
> Sr. Systems Engineer, NET
> George Mason University
> Fairfax, Virginia
>



More information about the unisog mailing list