Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Compromised Win2000 machine.
From: Daniel Hay <dhay () drexel edu>
Date: Tue, 28 May 2002 16:15:25 -0400
Hey,
Today i found a windows machine located in our dorms that had been compromised, but unlike most of the compromised machines i see come out of the dorms the Admin password was actually set and it was set to something other than NULL or Administrator. The attacker set up 2 Serv-U ftpd's on the host on high ports 23432 and 65531 to be exact, they also installed a warez eggdrop bot that connects to the newnet IRC Network and servs via the #warez-excell channel. The thing that puzzles me and i've not been able to get any information on it through web searches and mailing lists so far, on port 4160 there seems to be a login prompt. When you nc to the port you are presented with the following 

[dhay () ob-1 dhay]$ nc compromise.host.edu 4160
Login: administrator

Invalid password!!!
login:


An nc to the auth port (113) yields


[dhay () ob-1 dhay]$ nc 144.118.217.84 113

934 , 6667 : USERID : UNIX : bitch
I'm hoping someone notices the shift from Uppercase "L" in login to lower case after you fail to login and recognizes it as a known backdoor? or something similar... does anyone know of any canned rootkits ( for want of a better term ) that acts in the way i've described above? I'll paste the output of nmap -sS -sU -p 1-65535 below 


Port       State       Service
99/tcp open metagram 113/tcp open auth 135/tcp open loc-srv 135/udp open loc-srv 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 445/tcp open microsoft-ds 445/udp open microsoft-ds 500/udp open isakmp 1025/tcp open listen 1026/udp open unknown 4160/tcp open unknown 23432/tcp open unknown 65531/tcp open unknown 


Cheers
Danny Drexel University 
Network Security Engineer







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]