Millenium Backdoor?

Printable View

April 28th, 2004, 09:34 PM
Cybr1d

Millenium Backdoor?

I'm scanning a website IP for potential vulnerabilities (I'm admin to that website,). I noticed 33 open ports, but most of them are ports being used by legit programs, including SSH and FTP. On thing that smells fishy though is port 20000 and port 20001. Its telling me port 20000 is being used by Millenium and 20001 is being used by Millenium backdoor. I clicked on it for more detail and this is what it gives:

20001 : Millennium backdoor
Port type TCP
TCP Protocols HTTP
Version HTTP/1.1
Server Indy/9.00.10
Redirect detected Yes

What do I make of that information? Is it telling me that its connected to a server and communicating with it?

Also, a little more research on Millenium Backdoor results in this:

Name: Millenium
Aliases: BackDoor-L.srv, BackDoor-L.vli, Backdoor.Millenium,
Ports: 20000, 20001 (ports can not be changed)
Files: Milleniumtrojan.zip - 84,250 bytes Millenium2.zip - Client.exe - 164,352 bytes Client.exe - 198,144 bytes Server.exe - Spy.exe - 48,128 bytes Blonde.exe - Reg66.exe - Comctl32.ocx - 604,432 bytes Icqupdate.exe - 54,272 bytes Hool.exe -
Created: Nov 1998
Requires:
Actions: Remote Access / Keylogger. Alters Win.ini. Is been disguised as a Y2K system updater.
Versions: 0.9, 1.0, 2.0 beta,
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Notes: Works on Windows 95, 98 and NT. Spy.exe is said to be infected with the malicious virus Win.CIH from Taiwan.
Country:
Lenguage: Written in Visual Basic.

Is it vital for me to contact the hosting company ASAP? It also shows 21 Vulnerabilities which I'll be contacting them on (RPCs and Buffer Overflows for Apache, and OpenSSH) Any help would be greatly appreciated. One more thing, as I continue gettting more and more involved with Network Security and Forensics, I try to learn as much as possible. I can figure out ways to find the vulnerabilities on the targets, but how do you exploit them. Don't answer it here, if you want to help, please PM me instead.
April 28th, 2004, 10:11 PM
CXGJarrod

Dnp?

According to http://www.iana.org/assignments/port-numbers

dnp 20000/tcp DNP
dnp 20000/udp DNP

It could also be DNP. (Which I am trying to figure out what it is)
April 28th, 2004, 10:13 PM
Cybr1d

But why's it tellin me Millenium Backdoor on it? One window shows the Port# the other one tells me what process is using it at the moment.
April 28th, 2004, 10:18 PM
Tiger Shark

Since you probably aren't running DNP 3.0 or less on this server, (but you might want to check with the provider), I would suggest that this is, indeed, a bad thing.....

However, I think this is worse than bad...... :eek:

I think that you are scanning from outside, (since you say you will contact the provider), correct me if I'm wrong.....

That being the case 33 open ports is a hell of a lot for a provider to allow to a single host. The fact that a port like 20000 is available from outside indicates either that the box is unfirewalled or that it is firewalled with a piece of swiss cheese, (which would be bad too... ;)). I would be asking some fairly serious questions about the firewall.... One i would ask is "Can I see the firewall logs for this host on xx/xx/04".... It's a pleasant way of seeing if they know what they are doing.....

In any case, 20000-1 should not be open to the world.
April 28th, 2004, 10:24 PM
KorpDeath

Also ask for the maintanence log of the server, they should easily be able to provide an up to date list of all of the changes made by the admins. Documentation is extremely important but most people just "don't have the time".
April 28th, 2004, 10:31 PM
Cybr1d

I'll let cheyenne know about it. He's the one in contact directly with them. Thnx very much for the responses.
April 28th, 2004, 10:40 PM
Tiger Shark

KorpDeath is a Genius.....
KorpDeath is a Genius.....
KorpDeath is a Genius.....

If you are serious about this business, (security), being on the cutting edge, is important. But you can't cover _every_ last thing.... There's going to be a mistake somewhere or something that you couldn't foresee that will bite you somewhere painful.

At that point you have two choices:-

1. Sit back and say "wtf"
2. Go through the logs and find out what happened.

I'm a big proponent of number 2. Number 1 is plain embarrasing when the CEO asks the same question number 1 did... ;)

Granted you can't log every last packet across your network, but you can log "high risk" systems heavily, you can log all "allowed in" at the firewall, you can have an IDS logging "odd" stuff, you can log web, smtp and ftp stuff etc. etc. etc. It really doesn't take that much disk space if you run it to text.....

But when the poop hit's the proverbial fan you may be able to go back and link some things together that tell you some of what happened...... It might be the difference between reformatting every machine on the network and just reformatting a few......
April 29th, 2004, 05:40 AM
cheyenne1212

Now this webserver also contains many other webservers on it with other services running besides a apache web server. For instance the webserver we have on this box is linked to another box that is running a live stat program for game servers. Would it be possible that the port scanner is mis identifying a port as a trojan??
April 29th, 2004, 07:30 AM
Lansing_Banda

33 ports! Sweet crap in the morning. I can't think of 33 services that I would willfully provide to anyone!
May 1st, 2004, 06:17 PM
h.a.c.k.

Ports 20,000 could be millenium, PSYcho files or xhx
ports 20,001 could be millenium, psycho files or insect....

what firewall are you running? also, where did you get the info that millenium is the actual program installed :confused: