|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: compromised machines
From: Scott Weeks (surfer
mauigateway.com)
Date: Thu Aug 26 2004 - 17:13:32 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Are you sure they didn't crack the passwords? Do you have 'strong'
passwords on the machines?
scott
On Thu, 26 Aug 2004, Varun Pitale wrote:
: last week, I had around 78 machines compromised through IRC bots and
: all of them running a ftp server on port 6544 with the following
: banner:
:
: 220-Serv-U FTP Server v5.0 for WinSock ready...
: 220-.
: 220-.
: 220- ¨¨°şİo.,,.oİ HacKed By EvilzCrew İo.,,.oİş°¨¨
: 220-.
: 220-.
: 220-
: 220- ---= SERVER ---
: 220-----> Le Server est Up depuis 0 Jour: 14 Heure: 52 Min
: 220-----> Nous somme le Saturday 14 August, 2004 il est 14:27:36 Sur le Server
: 220-
: 220- ---= TRANSFERTS ---
: 220-----> Vitesse : moyenne : 0.261 kb/sec
: 220-----> Download total : 20 Kb
: 220-----> Upload total : 13977 Kb
: 220-
: 220- ---= UTILISATEURS ---
: 220-----> Votre IP : x.x.x.x
: 220-----> Vous etes 1 connectes
: 220-----> TotaL Users Logged In : 6 Users
: 220-
: 220- ---= RESPECT THIS STUFF ---
:
: We cleaned up all of these machines and rebuilt each of them from
: scratch, with all the latest patches. The IDS/IPS at the edge of our
: network, does not seem to be catching the bots which are causing
: these.
: After one week, I have 50 machines which are compromised by the same
: bot, and some of them are the same as the previous list of machines.
: Now a host-based firewall is a very tough option for us, since we are
: a university with around 30,000 computers and under different
: departments. Does anyone know what bots are causing these and any IDS
: signatures for these. We are using a couple of IDS such as snort and
: Dragon and Intrushield, Any help for this is appreciated.
: I did have a look at one of these
: machines and from what I see, there are a couple of files which seem
: to be causing this.
: there is a csmss.exe file which is listening on the port 6544.. The
: machine is also running a remote server.
: before csmss.exe, a file ServNT.exe seems to have been executed, which
: might have caused a sequence of events.. there is a batch file , which
: using the registry runs a remote admin server at startup. then we got
: a number of files which are used to show the banner, hide the files .
: If I could find out how did they get inside the system, because most
: of the infected machines were running fully patched Windows XP with
: latest Norton Antivirus definitions.?
: All of those machines are running either Windows 2000 professional or
: XP professional.
: 2 machines wer analysed, one of which was completely ptched and had
: all the latest virus definitions from Norton, another machine was not
: patched and no virus updates were present.. But the state of affairs
: at both the machines was the same.. themessage sent before contains
: the details..
: on more analysis, I found csmss.exeto be a part of W32.Dedler
: Trojan.. but how it got inside the system is anyone's guess..
:
: None of them was running IIS.
:
:
:
: --
: Regards,
: Varun
: (704)-548-8793 --(Home)
: (704)-241-0092 --(Mobile)
: mailto: varun.pitale_(at)_gmail_(dot)_com
:
:
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]