RE: Proxy server hit... Any ideas?

From: darroch royden <darroch.royden(at)blueyonder.co.uk>
Date: Wed Nov 20 2002 - 07:34:27 EST

A favourite tool is xscan (xfocus.org), which among other options/plugins you can choose ntpass which brute forces bad passwords on the remote machine. I would imagine, especially since they are removing the hidden shares that this is how they penetrated the machine.

Hope this helps.

-----Original Message-----
From: Mike Cain [mailto:mikec@lpinsurance.com] Sent: 19 November 2002 9:29 PM
To: incidents@securityfocus.com
Subject: RE: Proxy server hit... Any ideas?

I was really more looking for suggestions on 'how' the guy got in, and if it matched any known exploits. First off, I didn't build the box, and it wasn't my responsibility until about 3 weeks ago. Secondly, I do know a good bit about hardening a box, so I am in the process of rebuilding the Proxy to my specs (No FTP is DEFINITELY one of them since this company doesn't use FTP).
Thanks for the help though.... such as it was...

Mike Cain

-----Original Message-----
From: Russell Harding [mailto:hardingr@cunap.com] Sent: Tuesday, November 19, 2002 3:04 PM To: Mike Cain
Cc: incidents@securityfocus.com
Subject: Re: Proxy server hit... Any ideas?

Mike,

  It seems like you've been gotten one of the many so called 'hackers' who troll the internet looking for unpatched NT boxen to use as rogue FTP
(music/warez/movie) servers.

  The incidents list sees this sort of post about once a week... "I run NT, don't know security and got hit...what did I get?"

  I could be just another person to direct you to the same sources the list always does (netstat, fport, etc...) But I would like to recommend the following:

  With an unknown backdoor installed on your system, you really can never know if you've eradicated the intruder. It is best to not really worry about what is there (keep the 'pirates booty' if you wish :) ) But focus on what to do about it. You need to re-format your drive, start from scratch with the machine _off_ the public internet until it is fully patched. Don't always trust windows update to keep you patched... It may help you to use a third party utility.

   Good luck rebuilding your system,

         -Russell

On Mon, 18 Nov 2002, Mike Cain wrote:

> Well, I have had my first run-in with a hacker, or was it a virus? I'm

> not 100% sure.. Guess I should start from the beginning...
Well,
> last night the box was rebooted after some software was updated. Today

> people were complaining about how PAINFULLY slow the internet was, so
I
> looked at the proxy server. NT4 running proxy3. I know, there is newer

> better stuff, but its what I have to work with. :) SO... I looked at
the
> processes and noticed the CPU hovering at 35-50%.. Way too high. So a
remember
> needing to be there, win.exe and start.exe. Next move was to find
them,
> and they were in the winnt\system\ folder. What I also found odd was

> 8th, NT, tools, and win.
>
> Here are the contents, respectively.
> 1. 1fg.dll, 1gno32.dll, 1s.dll, 1t.exe(antivirus sees this one as a
> backdoor Trojan), 132.dll, 1gn32.dll, 1idv32.dll, 1sf32.dll,
1ygwin1.dll
> (says it's a Cygwin POSIX Emulation DLL), 132.dll.bkup

> Routine), and _zoLibr.dll
sercure
> and secure1 batch files, it looks like a root kit... But I'mm new at
old
> IIS Sample Scripts to execute local code... Not sure if he was
Professional)
> >> temp
> echo [System Access] >> temp
> echo MinimumPasswordAge = 0 >> temp
> echo MaximumPasswordAge = 42 >> temp
> echo MinimumPasswordLength = 0 >> temp
> echo PasswordComplexity = 0 >> temp
> echo PasswordHistorySize = 0 >> temp
> echo LockoutBadCount = 0 >> temp
> echo RequireLogonToChangePassword = 0 >> temp
> echo ClearTextPassword = 0 >> temp
> echo [Event Audit] >> temp
> echo AuditSystemEvents = 0 >> temp
> echo AuditLogonEvents = 0 >> temp
> echo AuditObjectAccess = 0 >> temp
> echo AuditPrivilegeUse = 0 >> temp
> echo AuditPolicyChange = 0 >> temp
> echo AuditAccountManage = 0 >> temp
> echo AuditProcessTracking = 0 >> temp
> echo AuditDSAccess = 0 >> temp
> echo AuditAccountLogon = 0 >> temp
> echo [Registry Values] >> temp
> echo
>

machine\system\currentcontrolset\services\netlogon\parameters\signsecure
> channel=4,1 >> temp
> echo
>

machine\system\currentcontrolset\services\netlogon\parameters\sealsecure
> channel=4,1 >> temp
> echo
>

machine\system\currentcontrolset\services\netlogon\parameters\requirestr
> ongkey=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\netlogon\parameters\requiresig
> norseal=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\netlogon\parameters\disablepas
> swordchange=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanworkstation\parameters\r
> equiresecuritysignature=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
> nablesecuritysignature=4,1 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanworkstation\parameters\e
> nableplaintextpassword=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanserver\parameters\requir
> esecuritysignature=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanserver\parameters\enable
> securitysignature=4,0 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanserver\parameters\enable
> forcedlogoff=4,1 >> temp
> echo
>

machine\system\currentcontrolset\services\lanmanserver\parameters\autodi
> sconnect=4,15 >> temp
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
> >> temp
> echo
> machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
>>
> temp
> echo
> machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
> >> temp
> echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
> >> temp
> echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
> >> temp
> echo
>

machine\software\microsoft\windows\currentversion\policies\system\shutdo
> wnwithoutlogon=4,1 >> temp
> echo
>

machine\software\microsoft\windows\currentversion\policies\system\legaln
> oticetext=1, >> temp
> echo
>

machine\software\microsoft\windows\currentversion\policies\system\legaln
> oticecaption=1, >> temp
> echo
>

machine\software\microsoft\windows\currentversion\policies\system\dontdi
> splaylastusername=4,0 >> temp

> [Privilege Rights] >> temp echo seassignprimarytokenprivilege = >>
temp
> echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-196040
> 8961-1637723038-1801674531-501 >> temp

---

---

> This list is provided by the SecurityFocus ARIS analyzer service. For
> more information on this free incident handling, management and

---

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Nov 22 00:45:19 2002