May 20th, 2004, 03:44 PM
I recently had to scrub a Windows server that was compromised while I was reconfiguring my firewall. Not my most shining moment as a sysadmin, but this is part of my business. Scrubbing Windows servers.
At any rate, one easily identifiable intrusion was a new Windows service called Dameware. This service seemed so neat and eager to be managed that I checked into and, yes, it's legit remote control software for administrators. Except that it doesn't belong on my box.
The behavior I observed on the machine (before I scraped the drive clean and re-installed it) included enormous network activitiy (80mbps+) and an open port to some IP in France.
Since I did not do any kind of real investigation into what was being done to my machine, I'll never know what was eating up that bandwidth, but I'm wondering what the AO community thinks Dameware would be used for. Is it just a simple, easy capture of a system with loose Windows account security? Is there a known exploit that maybe I won't be prepared for next time? Is it commonly associated with another kind of attack?
My reason for wondering is that I don't think it's satisfactory for me to put a server behind a firewall and forget about securing it as best I can. If there is an exploit out there that points to my configuration, I want to be ready for it, firewall or no.
May 20th, 2004, 05:42 PM
Dameware was made to be a utility to remotely access a computer when you are away from it, kinda like netbus or pc-anywhere now dont quote me on this but, i think you can only use Dameware if you are on the same network. If you can use dameware and get into someone's box you can do pretty much anything you want, you have admin privledges basically. so, if this person or person's did get into your box they could prolly get into your network also and do pretty much anything they pleased. The good thing is that Damnware has to be installed on the "attackers" box and yours too. and when they start it up you can usually see a little dameware "icon" in the bottom of your screen. I dont know how to remove dameware but i say Google it. well thats all i have, hope i helped. send me a PM if you need more info. bye.
May 20th, 2004, 06:03 PM
Okay -- thanks. If Dameware is a utility to be used only on the local network, that gives me something to look for on the rest of my network. And it's an easy uninstall -- it was right there in add/remove programs.
But when it's something like this, the safest thing to do is uninstall it with FDISK. Which is what I did.
May 20th, 2004, 06:08 PM
fdisking is alright, but I really feel more comfortable doing atleat a 1x overwrite. If you download BCWipe from www.jetico.com it comes with an utility called BCWipePD in which you can copy to a bootable floppy or CD and use to do an overwire of any drive at any selected passes. Great utility and I wouldn't say it is really that slow.
May 20th, 2004, 06:28 PM
BCWipePD is not a tool I've heard of, so I'll check it out.
But all things considered . . . come on, if some IRC bot is passsing out French versions of Troy from my server because I let some bored college student own it, wiping and reinstalling with all the holes fixed will stop the spread of dubbed gladiator movies just fine.
I guess I don't consider the data protection an issue because there is no physical access to the box and it just provided services, not shared data.
I'll go check out BCWipe nonetheless --
May 21st, 2004, 01:06 AM
dameware works quite well across the internet and installed the way you found it that is probably the way it was being used. ive found it running on computers that have been turned into warez servers. because it is 'real' software antivirus programs dont pick it up as being a back door. the warez groups actually use it to administer the computer. i guess edlin is to difficult for them to modify the servu.ini or firedeamon.
after a backdoor is initially established, like netcat also not detected as a virus/trojan, then the other files are usually tftp/ftp'd over. a stripped down version of firedamon is usually used to make all their devices run as services. to bad you swiped it clean...probably had some good movies on it j/k
i couldn't agree with you more. fdisk is the way to go. you never know what else has been installed as a back-up means of entry and its really not worth taking the chance.
warez gangs are as tenatious as spammers and every exploit that can be used is used. from netbios hacking with worms like muma to any BoF that can spawn a shell. every patch needs to be installed as soon as it is released.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”