Rooted
#1
Got a big prob here. A friend with an nt4 box has been rooted. Not only have they installed Dameware remote software, like pc anywhere but they have installed an ftp server on the quiet. Hacked by some runt called Gladdi-Tribun.
Now Ive removed the remote control crap via services, deleted the ftp server (with directories for Warez, MP3 and **** (no super_si, there wasn't any - I looked ) I installed Grisoft etc for him and scanned it. No "offical" trojens etc. However in the aftermath of all this im left with two questions.
1. Firstly, his firewall is very tight indeed. All users except http have to authenticate, leading me to believe his firewall may have been busted open (FW NG) Anyone know of any exploits that would allow this type of thing ? There is no iis running
2. Secondly how do I delete the folders. they have created folders, for example com1 etc but I can't delete em. Any idea how ? Im getting "Cannot delete com1: Access is denied. Make sure the disk is not full etc etc" Ive deleted all sub dirs though, and removed all the dodgy services.
Any ideas ?
Now Ive removed the remote control crap via services, deleted the ftp server (with directories for Warez, MP3 and **** (no super_si, there wasn't any - I looked ) I installed Grisoft etc for him and scanned it. No "offical" trojens etc. However in the aftermath of all this im left with two questions.
1. Firstly, his firewall is very tight indeed. All users except http have to authenticate, leading me to believe his firewall may have been busted open (FW NG) Anyone know of any exploits that would allow this type of thing ? There is no iis running
2. Secondly how do I delete the folders. they have created folders, for example com1 etc but I can't delete em. Any idea how ? Im getting "Cannot delete com1: Access is denied. Make sure the disk is not full etc etc" Ive deleted all sub dirs though, and removed all the dodgy services.
Any ideas ?
#2
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
I think I would me tempted to flatten the box and rebuild it..
Then migrate the data that you want back.
Then I would look at some IDS software.. and check antivirus is up to date.. Also run mshfnetchk.. (or whatever) Microsoft Hotfix Checker.
And Speak to Jeff Wiltshire.
David
Then migrate the data that you want back.
Then I would look at some IDS software.. and check antivirus is up to date.. Also run mshfnetchk.. (or whatever) Microsoft Hotfix Checker.
And Speak to Jeff Wiltshire.
David
#4
Rebuild it from scratch to be on the safe side.
But if his firewall was locked down tight then it shouldn't be letting in services that are not required, e.g ports for the remote control software, ftp etc...
The firewall should be locked down for incoming and outgoing traffic and if need be tied down to ip address for certain services.
H
But if his firewall was locked down tight then it shouldn't be letting in services that are not required, e.g ports for the remote control software, ftp etc...
The firewall should be locked down for incoming and outgoing traffic and if need be tied down to ip address for certain services.
H
#5
Scooby Regular
Without have a look at the rulebase it is very difficult to comment on how it happened. Chances are that there is a mis-configuration that has allowed this to happen.
I'm not aware of any Checkpoint specific exploits that would allow this to happen, it might be possible that some other machine within his enviroment has been rooted as well and this was used to attack to internal server. Typically the DMZ machines are attacked which then gives the Hacker access to the internal network. Most companies treat DMZ machines as a trusted network
I would agreee that the safest thing to do is rebuild the machine from scratch and then apply all the relevant patches.
Jeff
I'm not aware of any Checkpoint specific exploits that would allow this to happen, it might be possible that some other machine within his enviroment has been rooted as well and this was used to attack to internal server. Typically the DMZ machines are attacked which then gives the Hacker access to the internal network. Most companies treat DMZ machines as a trusted network
I would agreee that the safest thing to do is rebuild the machine from scratch and then apply all the relevant patches.
Jeff
#6
Thats easier said than done I think. The box runs a bespoke DB and is a mission critical box. Therefore very major and disruptive task to rebuild. I honestly dunno what to tell him to do. I know a rebuild is safest but i don' think its gonna happen.
Trending Topics
#9
software firewalls are pretty much a waste of time when dealing with good hackers. You can go straight through them with no real problems. To protect your network you need to have a dedicated machine running the firewall with packet inspection at the least. Preferebly not a windows machine...although they can be locked down if a lot of work is put into them.
You haven't said what kinda box it was that he was running...i.e. was it for home use or something else....this would give an insight as to what kind of person would comprimise the box, and how much care you would need to take when reintroducing it to the net.
The fact that the cracker (hackers are great people )installed rem admin software and an FTP server leads me to belive that hes only a script kiddie and has not penetrated the firewall. He will have got in some other way. There are thousands of ways in without alerting the firewall. Even little things like cookies or allowing javascripts in the browser or email software can put serious holes in the box.
From the kind of attack you have described, I would assume you should be fine after removing the software and cleaning the registry....keep a close eye on outbound connections at all times though...alerting you when something accesses the net without permission.
If this was a good hacker, he would not have left these kind of trails behind. Good hackers are much more stealth. Its just a WISK (WIndows Skript Kiddie) you encountered
You haven't said what kinda box it was that he was running...i.e. was it for home use or something else....this would give an insight as to what kind of person would comprimise the box, and how much care you would need to take when reintroducing it to the net.
The fact that the cracker (hackers are great people )installed rem admin software and an FTP server leads me to belive that hes only a script kiddie and has not penetrated the firewall. He will have got in some other way. There are thousands of ways in without alerting the firewall. Even little things like cookies or allowing javascripts in the browser or email software can put serious holes in the box.
From the kind of attack you have described, I would assume you should be fine after removing the software and cleaning the registry....keep a close eye on outbound connections at all times though...alerting you when something accesses the net without permission.
If this was a good hacker, he would not have left these kind of trails behind. Good hackers are much more stealth. Its just a WISK (WIndows Skript Kiddie) you encountered
#13
Rebuild
patch up
harden (properly)
firewalls are useless against things like netcat which let you port through legit ports. Did you check the implied rules on CP?
Ideally, you want your server hack proof (at service level) even if the firewall was completely open - defence in depth.
#14
The box is quite ap "prize". It is a duel 900 MHz Dell Poweredge with 1 GB mem and ~300 GB sitting on the end of a 2MB leased line.
Port 80 is open because the firewall redirects the http requests to the DMZ, on which the webserver is located. The actual machine in question sits on the internal lan.
I talked about rebuilding the box and just got an erm, well, perhaps, dunno type answer, so I will just have to lock the firewall down some more, if I can find the hole. I will try and post the rulebase later and see what you all think.
The actual firewall is NG NG feature pack 3 sitting on a hardened Win2K box, and this, from what I can see hasn't been compromised.
Regards
Stuart
Port 80 is open because the firewall redirects the http requests to the DMZ, on which the webserver is located. The actual machine in question sits on the internal lan.
I talked about rebuilding the box and just got an erm, well, perhaps, dunno type answer, so I will just have to lock the firewall down some more, if I can find the hole. I will try and post the rulebase later and see what you all think.
The actual firewall is NG NG feature pack 3 sitting on a hardened Win2K box, and this, from what I can see hasn't been compromised.
Regards
Stuart
#17
IIS isn't installed. Its just I think the box had a little flaw because it was well patched etc HOWEVER I have just found iisinst.exe in the trash! dubious ! I tried to connect to it ie http://localhost etc but nothing was active, no iis related files.
This is the ftp server that was running
It would suggest that it has been a script idiot because of the poor spelling scannend instead of scanned.
220-Serv-U FTP Server v3.0 for WinSock ready...
220-
220-
220-***********************************
220- Scannend by Gladdi ®
220-***********************************
220- Server Statistics:
220-
220- [ Your Ip xx.xx.xx.xx ]
220- [ Servertime: 09:16:42 ]
220- [ Total Users: 0 total ][ Online Users: 1 ]
220- [ Downloaded: 0 kb ][ Uploaded: 0 kb ]
220- [ Average bandwith: 0.000 kb/sec ]
220- [ Current bandwith: 0.000 kb/sec ]
220- [ Server is running since: 0 Days, 1 Hours, 7 Minutes,36 Seconds ]
220- [ Space left: 27430.02 ]
220-
220-***********************************
220- hacked by Gladdi-Tribun ®
220 ***********************************
This is the ftp server that was running
It would suggest that it has been a script idiot because of the poor spelling scannend instead of scanned.
220-Serv-U FTP Server v3.0 for WinSock ready...
220-
220-
220-***********************************
220- Scannend by Gladdi ®
220-***********************************
220- Server Statistics:
220-
220- [ Your Ip xx.xx.xx.xx ]
220- [ Servertime: 09:16:42 ]
220- [ Total Users: 0 total ][ Online Users: 1 ]
220- [ Downloaded: 0 kb ][ Uploaded: 0 kb ]
220- [ Average bandwith: 0.000 kb/sec ]
220- [ Current bandwith: 0.000 kb/sec ]
220- [ Server is running since: 0 Days, 1 Hours, 7 Minutes,36 Seconds ]
220- [ Space left: 27430.02 ]
220-
220-***********************************
220- hacked by Gladdi-Tribun ®
220 ***********************************
#18
Scooby Regular
Join Date: Sep 2002
Location: Essexville
Posts: 4,391
Likes: 0
Received 0 Likes
on
0 Posts
or you can get a double-refractive thermo energiser model VII and couple this with a high grade wax sealed potentiometer, and dial in some security, until your happy.
then superglue the rotary spindle in place for security
badger stuffers solution is cheaper though.
good luck
BB
or you can get the hacker to deal direct with Gedi, and he'll probably nod off after 10 seconds, thus rendering him harmless.
then superglue the rotary spindle in place for security
badger stuffers solution is cheaper though.
good luck
BB
or you can get the hacker to deal direct with Gedi, and he'll probably nod off after 10 seconds, thus rendering him harmless.
#19
Scooby Regular
Join Date: Sep 2002
Location: Essexville
Posts: 4,391
Likes: 0
Received 0 Likes
on
0 Posts
serously stueyb,
thats quite bad...
this script looks like it tried to install this ftp tool.
is there a green U on the taskbar/system tray??
have a look for a serv u folder and corresponding ini type file.
this may indicate where the connection came from.
ie. you have to add users to this service, and he may have twatted himself and published his ip address.
.just a thought!!
BB
thats quite bad...
this script looks like it tried to install this ftp tool.
is there a green U on the taskbar/system tray??
have a look for a serv u folder and corresponding ini type file.
this may indicate where the connection came from.
ie. you have to add users to this service, and he may have twatted himself and published his ip address.
.just a thought!!
BB
#22
I did look and i did find the ini files. There wasnt the sys tray icon there, but it had been installed in a hidden directory in the recycle bin on the d:\ drive
The ini files had no ip addys, just usernames and encrypted passwords. It also had a "backup" copy of ftp server called "ate".
The ini files had no ip addys, just usernames and encrypted passwords. It also had a "backup" copy of ftp server called "ate".
#28
Still can't delete it. It says it can't find the path specified. I know the path is correct. There are some other files for instance config.log that I can see but the file system refuses to open it or even see it.