Hosting Provided By

Re: Finding root-kits on Windows

From: <Kevin.M-CTR.Shannon(at)faa.gov>
Date: Tue May 06 2003 - 10:03:51 EDT

I would venture to say that the file 'dropnc.exe' is NetCat. I would definitely want to see what's in the 'Drop.ini' file as it should give you a little more info.
You can do a 'netstat' or 'fport' from DOS on that machine to see which ports are listening, then try connect to each port with NetCat running on another machine.
Once you identify the port, you will know how the attacker is getting in. Have you unplugged the machine yet? If not, use Ethereal to monitor that IP for a while and you can look for traffic across the previously identified port. This should help you identify an IP on the other side (where the intruder is coming from). Although, if the intruder is smart, they are using automated scheduling to push traffic through at late hours when it is unlikely that no one will be watching. If you do not see 'dropnc.exe' as a running process, then you want to focus on the process ID's (PID's) with higher process ID's and look at generic PID's such as 'svchost.exe' (generic host process) or a duplicate of 'inetinfo.exe' or 'dllhost.exe' These are the favorite PID names of choice for most intruders.

Hope this helps.

KMS Kevin Shannon,
Sr. Network Administrator-US DOT/FAA/AVN/ avn.faa.gov Sr. ADP Specialist-Lockheed Martin InformationTechnology www.it.lockheedmartin.com
Office - 405.954.7134 Email - Kevin.M-CTR.Shannon@faa.gov

The contents of this email reflect neither the views of the FAA nor those of Lockheed Martin.

|---------+---------------------------->

|         |                   |
|         |                            |
|         |           05/05/2003 09:52 |
|         |           PM               |
|         |                            |

|---------+---------------------------->

  >--------------------------------------------------------------------------------------------------------------|
  |                                                                                                              |
  |       To:       forensics@securityfocus.com                                                                  |
  |       cc:                                                                                                    |
  |       Subject:  Finding root-kits on Windows                                                                 |
  >--------------------------------------------------------------------------------------------------------------|

If someone could help me I would appreciate it- my current situation is:

On a compromised Windows 2k Pro box I have a directory with suspect binaries (which I discovered from a disk image via autopsy/sleuthkitawesome stuff) but on the compromised machine it is impossible* to view these files or the directory. A listing of the files and the directory is attached at the end of the e-mail. After reading more and more on windows rootkits- one of the common ways to use them is to pick a common string to hide and in my case all the files and the directory have the string "drop" as part of their name. As a test I created a directory in the root of the drive named "dropper" and it also "disappeared".

Do you need help?

So my question is, how can I find this root-kit that is hooked into my kernel? I am looking at my sysinfo for the box but while there are a number of drivers running- how would I further investigate what they are doing? BTW, it hasn't matched up with a well-known root-kit yet (like slanret).

Thanks
S-W

*=except 'cd'ing, via command prompt only, into the suspect (drop) directory and 'dir' listing all files *without* the "drop" name--possibly an error with the root-kit?

File and directory listing: (md5 hash / file name / size)

MD5 Values for files in /mnt/evidence/WINNT/system32/ (images/win2kpart1.img)

39a9e5c05ffbda925da0d2ec9b4f512a                       drop.exe
             50688
c647b4225e022096fb125f6bc49c5c91                       drop.ini
       383
da0bae77d169430f23134c1bea850c10           droper.exe
1364009
d66183219dcc4df876b94507c517decd           dropz.dat
244
623dfe4b51bc457a93b6cbbdeb62f3aa                       dropz.exe
             196922

MD5 Values for files in
/mnt/evidence/WINNT/system32/drop/ (images/win2kpart1.img)

f52d332ff50cb543c6d47d9aa4a0f608                       dropclient.exe
 30208
084badcff1da96797dddfd29b5038273                       dropcmdsrv.exe
 32768
a109f9c51681ec708342db2af6c4bebb                       dropFar.exe

             416800
26c1a98812d114c7ad2bc8e8d7119315           dropisql.exe
 98304
e0fb946c00b140693e3cf5de258c22a1                       dropnc.exe
             59392
b5f519b3844c4d3c5451d90f70c59737           dropNTUSER.EXE          114176
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
998c2626a275c4ee1d59c2b3d0ede028           droppkzip.exe           339456
7eec3f77f9cb19fda1d06403ec1472f1                       droppm.exe
             5632
9c77ed16bcba7c61d620ec040788e7e8           dropport.exe            48640
ca0447d2feccc4a5ac3c9128d61debe7                       droppwdump2.exe
 32768
b7989bcb72225521c79163517cabe69a           FarEng.hlf
72121
f7dddbdbbc5879bf16ac00cedcd20745                       FarEng.lng
             16618
ab1f54a5fa3e653b6784c44407f113ac                       samdump.dll

36864

MD5 Values for files in
/mnt/evidence/WINNT/system32/drop/Plugins/FTP/ (images/win2kpart1.img)

8e15302b6d6e34f97d1a9729a8982f2e                       farftp.dll
             115232
c9c65b08d29378823d4f41bc7f96787f                       FtpEng.hlf
             6514
5473c2f0e88c2a6732bbbcf72e895523                       FtpEng.lng
             2307

MD5 Values for files in
/mnt/evidence/WINNT/system32/drop/Plugins/Network/ (images/win2kpart1.img)

899618cc2b78249ae846aea0ae7a8e55                       NetEng.hlf
             1033
e094baf947eddf5c5d744247ec75859e                       NetEng.lng
       625
701c98c6799d450f458335b498806fa2           NETWORK.dll             45600

Can we help you?

MD5 Values for files in
/mnt/evidence/WINNT/system32/drop/Plugins/ProcList/ (images/win2kpart1.img)

43ca7be3f1bb03d47b77ea836f996fba                       ProcEng.hlf
             444
77fc621c42ea93a8a0ff9bd32331c350                       ProcEng.lng
             442
9691161c57d0cb6500af09df919b852f                       PROCLIST.dll

51232

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue May 6 10:24:31 2003

This message: [ Message body ]
Next message: Glenn_Everhart(at)bankone.com: "RE: Finding root-kits on Windows"
Previous message: Amarante, Rodrigo P.: "RE: Finding root-kits on Windows"
Maybe in reply to: shrink-wrap(at)hushmail.com: "Finding root-kits on Windows"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT