Security Incidents: Re: Trojan of somesort

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Trojan of somesort - Update

From: "Bob the Builder" <builder173 () hotmail com>
Date: Thu, 27 May 2004 14:58:56 +0000

Hi all, thanks for everyone's response so far, here is some additionalinformation:

Suspicious ports that were accessable via TCP scan included:
 3181/tcp  open  unknown
 6767/tcp  open  unknown
 6768/tcp  open  unknown
 7777/tcp  open  unknown
 10128/tcp open  unknown
 20200/tcp open  msrpc             Microsoft Windows msrpc

25252/tcp open mstask Microsoft mstask (task server -c:\winnt\system32\Mstask.exe)The FTP service was running on 7777, and I am taking this to have beenServU-FTP as I found this binary on the box.


Additional information returned from nmap regarding suspicious ports was:
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3181-TCP:V=3.50%D=5/21%Time=40AE052D%P=i686-pc-linux-gnu%r(NULL,D,"
SF:Who\x20are\x20you\?\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7777-TCP:V=3.50%D=5/21%Time=40AE052F%P=i686-pc-linux-gnu%r(NULL,30,
SF:"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C () S\xa3
SF:!!!\r\n")%r(GenericLines,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On
SF:\x20Da\x20FUcKiNG\x20C () S\xa3!!!\r\n")%r(GetRequest,44,"220\x20SiGN\x20-
SF:\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C () S\xa3!!!\r\n530\x20Not
SF:\x20logged\x20in\.\r\n")%r(HTTPOptions,44,"220\x20SiGN\x20-\x20FR33-FXP
SF:3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C () S\xa3!!!\r\n530\x20Not\x20logged\x
SF:20in\.\r\n")%r(RTSPRequest,44,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20
SF:On\x20Da\x20FUcKiNG\x20C () S\xa3!!!\r\n530\x20Not\x20logged\x20in\ \r\n")
SF:%r(RPCCheck,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUc
SF:KiNG\x20C () S\xa3!!!\r\n")%r(DNSVersionBindReq,30,"220\x20SiGN\x20-\x20FR
SF:33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x20C () S\xa3!!!\r\n")%r(DNSStatusRe
SF:quest,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG\x
SF:20C () S\xa3!!!\r\n")%r(Help,1F6,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20
SF:On\x20Da\x20FUcKiNG\x20C () S\xa3!!!\r\n214-\x20The\x20following\x20comman
SF:ds\x20are\x20recognized\x20\(\*\x20=>\x20unimplemented\)\.\r\n\x20\x20\
SF:x20USER\x20\x20\x20\x20PORT\x20\x20\x20\x20RETR\x20\x20\x20\x20ALLO\x20
SF:\x20\x20\x20DELE\x20\x20\x20\x20SITE\x20\x20\x20\x20XMKD\x20\x20\x20\x2
SF:0CDUP\x20\x20\x20\x20FEAT\r\n\x20\x20\x20PASS\x20\x20\x20\x20PASV\x20\x
SF:20\x20\x20STOR\x20\x20\x20\x20REST\x20\x20\x20\x20CWD\x20\x20\x20\x20\x
SF:20STAT\x20\x20\x20\x20RMD\x20\x20\x20\x20\x20XCUP\x20\x20\x20\x20OPTS\r
SF:\n\x20\x20\x20ACCT\x20\x20\x20\x20TYPE\x20\x20\x20\x20APPE\x20\x20\x20\
SF:x20RNFR\x20\x20\x20\x20XCWD\x20\x20\x20\x20HELP\x20\x20\x20\x20XRMD\x20
SF:\x20\x20\x20STOU\r\n\x20\x20\x20REIN\x20\x20\x20\x20STRU\x20\x20\x20\x2
SF:0SMNT\x20\x20\x20\x20RNTO\x20\x20\x20\x20LIST\x20\x20\x20\x20NOOP\x20\x
SF:20\x20\x20PWD\x20\x20\x20\x20\x20SIZE\r\n\x20\x20\x20QUIT\x20\x20\x20\x
SF:20MODE\x20\x20\x20\x20SYST\x20\x20\x20\x20ABOR\x20\x20\x20\x20NLST\x20\
SF:x20\x20\x20MKD\x20\x20\x20\x20\x20XPWD\x20\x20\x20\x20MDTM\r\n214\x20Di
SF:rect\x20comments\x20or\x20bugs\x20to\x20bugs () bugs\ com\ \r\n")%r(SSLSes
SF:sionReq,30,"220\x20SiGN\x20-\x20FR33-FXP3rs\x20-\x20On\x20Da\x20FUcKiNG
SF:\x20C () S\xa3!!!\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port10128-TCP:V=3.50%D=5/21%Time=40AE052F%P=i686-pc-linux-gnu%r(Generic
SF:Lines,6,"SDPACK")%r(GetRequest,6,"SDPACK")%r(HTTPOptions,6,"SDPACK")%r(
SF:RTSPRequest,6,"SDPACK")%r(RPCCheck,6,"SDPACK")%r(DNSVersionBindReq,6,"S
SF:DPACK")%r(DNSStatusRequest,6,"SDPACK")%r(Help,6,"SDPACK")%r(SSLSessionR
SF:eq,6,"SDPACK")%r(SMBProgNeg,6,"SDPACK")%r(X11Probe,6,"SDPACK")%r(LPDStr
SF:ing,6,"SDPACK")%r(LDAPBindReq,6,"SDPACK")%r(LANDesk-RC,6,"SDPACK")%r(Te
SF:rminalServer,6,"SDPACK")%r(NCP,6,"SDPACK")%r(NotesRPC,6,"SDPACK")%r(WMS
SF:Request,6,"SDPACK")%r(oracle-tns,6,"SDPACK");

There were no obvious suspicious connections in netstat, of course thiscould be because the binary had been modified, but the machine is behind aload balancer. As the load balancer had been set not to send any connectionsto it (due a loss in performance) the probability of there having beenactive connections to the box at the time is slim.

Other than the ServU files and some sort of crude looking port scanner sofar I haven't been able to find anything else. Does anyone know of a programthat can be used to scan for trojans offline, as I now of the machines diskloaded into my forensics system. I want to find out what other ports I needto be suspicous of so that I can scan the rest of the network for them tosee if anything else looks compromised. I plan at some point to try andreboot the system connected to a standalone switch to see what services comeback up and see if I can track them to any interesting local files.


Cheers,

Bob

_________________________________________________________________

Express yourself with the new version of MSN Messenger! Download today -it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

By Date By Thread

Current thread:

Re: Trojan of somesort - Update Bob the Builder (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
  - Re: Trojan of somesort - Update Pho Man (May 27)
    - Re: Trojan of somesort - Update Harlan Carvey (May 27)
  - Re: Trojan of somesort - Update Harlan Carvey (May 27)
    - RE: Trojan of somesort - Update James C Slora Jr (May 28)