Hosting Provided By

Re: FTP and Win2K changed security policy

From: Johan Augustsson <johan.augustsson(at)adm.gu.se>
Date: Wed Nov 20 2002 - 02:29:17 EST

On Mon, Nov 18, 2002 at 12:37:05PM +0100, Bojan Zdrnja wrote:
>
> I wonder if anyone saw rootkit with this or this was a manual work.

I've seen variants of those .bat-files on a huge number of compromised NT/2000 systems. As far as I know it's just a bunch of scripts that the intruder runs manually after downloading them from either his own box (stupid) or another compromised box.

So, how did he get in? I would bet my money on bad or non-existing passwords. Badly configured MS-SQL-servers are another often used way in but maybe not in this case. There is a very powerfull tool written by a Chinese that scans a class B network and collect null passwords or passwords that are the same as the account's name in less then 40 minutes. Since this is a win32 executable it's often found on the compromised systems. It can also be used with a dictionary.

Another tool that's often found on those systems is Netcat. It may be used to start a commandshell session to a specific IP-address or to bind cmd.exe to a port that the intruder can us as a backdoor.

The tricky part is to find all the binaries. It was a long time since the intruder start to rename the Serv-U FTP binaries to something more legal. Fport or Active Ports can help you out there. It's like lsof -i for Windows.

If you really wants to know how many of your boxes that are compromised like this I recomend using Snort (www.snort.org) and the following rules.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"USER"; content: "USER"; flags: A+; dsize: <30; depth: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PASS"; content: "PASS"; flags: A+; dsize: <30; depth: 4;)

Do you need help?

You might considering a couple of pass rules above those two rules so you don't get all the legal ftp-logins to port 21 and other legal ports.

Bear in mind that the rules above might give you a minor shock. If you have a class B net and don't filter TCP 135, 139 and 445 you'll probably have a couple of compromised boxes every day.

Happy hunting

Johan Augustsson
Göteborg University

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Nov 22 13:23:53 2002

This message: [ Message body ]
Next message: Esler, Joel -- Sytex Contractor: "increased attacks on port 2599"
Previous message: Jeroen Wesbeek: "Strange apache logs: CONNECT maila.microsoft.com:25"
In reply to Bojan Zdrnja: "FTP and Win2K changed security policy"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT