Hacked !!!!!!

look guys, this is a standard Warez rooting job, it's nothing fancy, it exployts well-known flaws in systems, you find tut's of this all over the web. I even tried it on one of my machines its damn easy. Chances are, he used a program like X-Scan to look up holes in your system, then logged in remotly through CMD or DOS, then he droped in the files and executed them, then he re-connected to your system using the FTP or telnet to give him more access, then he set up the rest, and your computer is now a happy pimpin' wh**e. They won't do any thing to your system untill they think you know about them, your system is "safe" (Saying that sounds kinda funny). What you need to do is get some info as to who this person is, send of an abuse mail with all the info you'v got, then remove all the files that have been uploaded. they are prolly in only one or two directorys....navigating remotly can be hard, and these people are lazy. Then I suggest you get Outpost, a nice small and very effective firewall(FREE:D ). then drop his IP and upgrade every thing that can be upgraded......you should be fine then.

Also, keep in mind, this person is prolly no older than 15-16, so they could get into a bit of trouble.....still hacking is illegal.

Now that you know wot's going on, your should have it all done in a couple of min's. PM me if any thing comes up :)

- Noia

I'm with Tseng and Noia...... This is messy and done by kiddies. Unfortunately the honeypot probably won't work now you have pulled the box back inside the firewall because it is now apparent that you know that they are there..... The additional problem there is that if they came in through port 80 in the first place they can still come back and they may be pissed..... I would reconsider having it in the DMZ where your other machines will be protected from it, right now they are all on the same network and that could be bad if they can get back on.

Since they appear to have been on the box for a week or more I would suggest a format and reload of all software now. I would consider a different web server and firewall the box for all except port 80, (I understand that the wife want's her damn web server regardless of the consequences). Changing the server software and patching it right up to date may mean that the less than talented kids may not have a current exploit to get back on the box. Put it in the DMZ with it's own software firewall.

I looked carefully at the information you sent me last night and that's why I come to the conclusion that they are untalented crackers...... I don't believe they wrote the install bat themselves - in fact the file is most likely incomplete and written by somone only slightly more talent..... Why?

1. A really obvious one..... You gotta figure that an attempt to delete the ADMIN$ share is going to come back with the error "There are files open... Are you sure" It would cost nothing for the author to have added a file y.txt containing the letter "y" and a carriage return and piped the input into the command so: net share /delete ADMIN$ < y.txt. Actually s/he should have done this with _any_ command that may error out to ensure successful and uninterrupted execution of the batch file.

2. I was puzzled for a while about the first three lines.... Set key = 1 - check to see what version the OS is then set the key to 2 but then never reference the key again????? Then the light bulb came on and it is the biggest reason why I say they are utterly untalented........ This install bat was a generic - It would function on any Windows system - but we don't have the whole file here - there were a bunch of other lines setting the key to different values dependent upon version and then there was a do case portion that jumped to the appropriate code section - now here's the funny bit - the skiddies already knew it was a 2k box so they cut out the code they didn't need - but they don't know what the key setting does so they left it in....... (if I'm wrong....someone slap me....), and I find that hilariously funny.

That's my 2c and my advice..... I would also start some kind of system to watch this box for a while..... Put it in the DMZ on a _hub_... the linksys is a switch so a sniffer won't work directly... stealth the box, (unbind all services from the nic) and sniff all traffic to and from the box..... If you need help analyzing the captures then you can sanitize them and post them here and we'll try to interpret them for you.

Good luck

Ya know, I have already learned so much from your posts and guidance that I'm glad this happened.

This is working out great. I really don't know how to say thanks. I mean a strange user pops in with a problem and you guys jump all over it. Whatta great site. I'm going to need to start spending more time here again. I believe at one time, I had the most viewed post on the board. Some nonsense about "What is Anti Online" LOL That was a couple years ago.

Anyway......

It seems I have already messed up the possibility of a honeypot or anything along those lines. Sorry, guys. This was the first time I had been compromised and although, I wouldn't say I was in a panic, I was certainly anxious to resecure the box.

So, now I go about the business of securing the network and isolating the server.

I have a lot of hardware at my disposal and a ton of time.

If someone wants to play, I would certainly be a good student (I promise). LOL

On the other hand, you guys have real lives and I am not asking for you to spoon feed me all your knowledge about security. So, a simple fix is an option.

I have some old P1/233/mmx boxes and a copy of RedHat. I'm not very good with Linux but, I'm an old DOS man and not afraid of the command line. So, setting up a Linux box as a firewall is an option.

For now, let me list what I need to do as a minimun. Then we can move on.

Place server IP back in DMZ
Install Zone Alarm with default settings (I can use any firewall you want. ZA is on it now).
Make sure Savant is current
Make sure OS is current (I am using SP2. I read a ton of bad stuff about SP3 so, I avoided it)

OK....all that is done. Why don't I feel secure? LOL Is there anything else in the "minimum needs" category that I'm missing?

And, I would really rather not reformat and reload right now. There may be more to learn. I have another 120GB sitting on the bench that I can drop in any time.

Well, I said I was going to keep it short. Just an old windbag. LOL

PS. Man, Zonealarm is screaming. Would the ZA log tell you guys anything? I could zip it and host it (I can't seem to attach files to posts). Also, anyone who wants to review the security on my server is welcome. Just tell me first so I don't freak out if I see it. LOL Thanks again folks.

Quote:

---

Originally posted here by KapperDog
It seems I have already messed up the possibility of a honeypot or anything along those lines. Sorry, guys. This was the first time I had been compromised and although, I wouldn't say I was in a panic, I was certainly anxious to resecure the box.

---

No probs..... I'm sure it was a little scarey.... I got hit once a few years ago.... I had no idea where to start so I simply started from scratch..... Lost my opportunity to learn some stuff right there..... But it's made me learn a lot more since...<s>

Quote:

---

I have some old P1/233/mmx boxes and a copy of RedHat. I'm not very good with Linux but, I'm an old DOS man and not afraid of the command line. So, setting up a Linux box as a firewall is an option.

---

Your linksys is fine if you keep the server in the dmz. You could use the Linux as the stealth sniffer using ethereal and or snort and capture all traffic to and from that server. That'll really give you something to look at.

Quote:

---

Place server IP back in DMZ
Install Zone Alarm with default settings (I can use any firewall you want. ZA is on it now).
Make sure Savant is current
Make sure OS is current (I am using SP2. I read a ton of bad stuff about SP3 so, I avoided it)

---

Go to SP3 and then make sure that all patches are fully up to date. I don't know savant... I'll get yelled at here....<s> But i'd be inclined to switch on the IIS and patch it and harden it. For those of you yelling.... He claimed it was the latest version and we don't know if the savant server was their method of ingress in the first place - they may not have a good exploit against a properly patched and hardened IIS server at this point.....

Quote:

---

PS. Man, Zonealarm is screaming. Would the ZA log tell you guys anything? I could zip it and host it (I can't seem to attach files to posts). Also, anyone who wants to review the security on my server is welcome. Just tell me first so I don't freak out if I see it. LOL Thanks again folks.

---

can you see if the traffic is relevant..... Is it from Europe? Is it looking for port 21? Stuff like that......

OOoooooo IIS? I don't think so. LOL

It's just too big of a target. Since I'm just playing and I always seem to have 10 projects on the burner, I can't always give enough attention to any one proj.

I think I would set up a Linux box and use Apache before I would go with IIS. I just set up a forum using YaBB and it pretty much sux. LOL so a linux server would open up opportunities for UUB and vBull.

As far as SP3, what about all the bad stories of bugs and reporting back to MS? I'm not worried about anything that's on any of my boxes but, I don't like not knowing what my puter is doing. LOL

I just updated from Win98SE to 2kPro about a year ago. I really like it. XP is a little too "Girly" for me. LOL

Anyway, back to business....

The server IP is in the DMZ

Zone Alarm is installed ( I need to review the settings)

I can shut down Savant. That will simplify things.

At that point, there should be zero traffic on that box, right?

Thanks again for everything guys. I need to shuffle off to work for a few hours and I'm going to shut everything down till I get back.

wow, after 5 pages its done.... but i still say report his ass..... ^_^, he still hacked you.... and thats not being a very good now is it?

OK, guys. 5PM EST I'm up.

The server is online.

ZoneAlarm is running (and screaming, I might add)

Savant is NOT running.

Server IP is in the DMZ

I still need to undo the reg entries he made although, I deleted all the telnet files for now. I also deleted the DNTUS26.exe. I'm still a little dumb about the reg file.

I also need to tweak ZA because I'm getting pounded with ZoneAlarm NetBios alerts from the other boxes on my LAN.

netstat -na 5 shows this....

Code:

---

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1030          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1029        0.0.0.0:0              LISTENING
  TCP    192.168.1.200:139      0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    127.0.0.1:1038        *:*
  UDP    192.168.1.200:137      *:*
  UDP    192.168.1.200:138      *:*
  UDP    192.168.1.200:500      *:*

---

After 10 minutes, here is the ZA log.....

Code:

---

ZoneAlarm Logging Client v3.1.395
Windows 2000-5.0.2195-Service Pack 2-SP
type,date,time,source,destination,transport
PE,2003/02/19,17:00:10 -5:00 GMT,LiveUpdate Engine COM Module,64.215.166.38:80,N/A
FWIN,2003/02/19,17:00:18 -5:00 GMT,216.39.177.75:1355,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:00:18 -5:00 GMT,216.39.177.75:1354,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:00:20 -5:00 GMT,216.39.177.75:1354,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:00:20 -5:00 GMT,216.39.177.75:1355,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:00:36 -5:00 GMT,216.39.177.75:1358,192.168.1.200:80,TCP (flags:S)
FWOUT,2003/02/19,17:03:40 -5:00 GMT,192.168.1.200:1079,192.168.1.101:139,TCP (flags:S)
FWIN,2003/02/19,17:04:18 -5:00 GMT,65.24.0.166:53,192.168.1.200:1025,UDP
FWOUT,2003/02/19,17:04:32 -5:00 GMT,192.168.1.200:1080,192.168.1.101:139,TCP (flags:S)
FWOUT,2003/02/19,17:05:26 -5:00 GMT,192.168.1.200:1081,192.168.1.101:139,TCP (flags:S)
FWOUT,2003/02/19,17:06:18 -5:00 GMT,192.168.1.200:1082,192.168.1.101:139,TCP (flags:S)
FWOUT,2003/02/19,17:07:12 -5:00 GMT,192.168.1.200:1083,192.168.1.101:139,TCP (flags:S)
FWIN,2003/02/19,17:07:30 -5:00 GMT,24.30.102.93:3303,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:30 -5:00 GMT,24.30.102.93:3304,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:32 -5:00 GMT,24.30.102.93:3309,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:32 -5:00 GMT,24.30.102.93:3310,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:34 -5:00 GMT,24.30.102.93:3311,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:34 -5:00 GMT,24.30.102.93:3312,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:36 -5:00 GMT,24.30.102.93:3313,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:38 -5:00 GMT,24.30.102.93:3320,192.168.1.200:80,TCP (flags:S)
FWIN,2003/02/19,17:07:40 -5:00 GMT,24.30.102.93:3321,192.168.1.200:80,TCP (flags:S)
FWOUT,2003/02/19,17:10:02 -5:00 GMT,192.168.1.200:1094,192.168.1.101:139,TCP (flags:S)
FWIN,2003/02/19,17:10:28 -5:00 GMT,192.168.1.103:137,192.168.1.200:137,UDP

---

I need to check in with some other groups. I'll be back in an hour.

Thanks agin for all your help, guys. I would have never done this alone. If it was me alone, a simple format would have ended it all. LOL And, I would not have learned a thing.

I owe you guys a big one.

Hey guys. What about WinMgmt.exe?

It's running and I cant shut it down. I read a little about it and it seems like a std part of windows.

Can I leave that running or do I need to address that?

Sorry to throw so much at ya.

Thanks again.

Hey, does Negative still hang here?

Personally, I think you should give yourself a big pat-on-the-back too and I believe Tiger Shark and the others who posted in this thread would agree, you were the one that posted the information which help us, help you. Right from the start you were giving us important info on what was going on. I have seen other threads started which basically start off with "HELP - I have been Hacked, What to I do...Help Me...Help Me....etc". And then it's like pulling teeth trying to get the info to help.

Anyways, good job.

Cheers:

Whoaaaaaa, wait a minute. LOL The last thing we're going to do is pat me on the back.

Geeze. I was the dumb ass that put a box in the DMZ with no firewall. C'mon. I've been hacking computers since my first TI-99/4a. Not very well, obviously. LOL I should have known better. There's no excuse.

Now, kudos certainly go to all that helped me out here. I can't say thanks enough.

I'm still alittle worried about WinMgmt.exe running (the file is at 3 diff locations on my HDD). Something stinks. LOL

I can't say I understand what it's like for you, but when I was the sysadmin for a school I found out one Win2K box had been compromised and used as a warez server, mostly french divx's and games. I was pissed as hell and my boss didn't want to pursue the attacker (he was worried it would cost too much legal $$$, so had me just harden the box). The only way I noticed was the tiny amount of free disk space during a defrag. To see the email addresses to send the complaints to the isp for that 80.14.79.43 ip, go here: http://www.dshield.org/ipinfo.php?ip=80.14.79.43
It lists all the whois and contact info for that ip block, maybe you can get this little bugger.
Good luck, and remember it's experiences like this that teach you more than any book can!
Sorry it happened, but hacking is a fact of life--that's why antionline's here! If you want one computer dedicated for complete webserving the most secure way possible, I suggest learning OpenBSD or FreeBSD if you have the time. These are probably the best webserving operating systems, with years of uptime in some instances and have some of the most efficient TCP/IP stacks around.

I hoped this helped at least a little.

I have one suggestion for you. Since you are running ZoneAlarm, go to Visualize Software and get a copy of VisualZone. It is a ZoneAlarm log reader. It parses the log entries out in a spreadsheet-type form, with some built-in lookup features (WHOIS and a map feature). It will also do a reverse NetBios lookup on all attackers, if you want!
I use ZA, and I hated trying to read through the logs, until I found VisualZone. I think it will help.

Boy. Great minds think alike. I was just going to ask if anyone knew of a proggy that would format ZALogs. I knew I remembered something about that.

Thanks.

If I may impose myself a little more on you nice folks, I have a question.

Right now, I have the server up with Savant NOT running.

The fireway is getting pounded. The alerts are coming up so fast I can't even work on the box. I know I can turn off the alerts but, mu question is this.

Since the ebay auctions are still being viewed the requests from the pics embeded in the ebay descriptions are what is pounding the firewall.....right?

Thanks again...and again...LOL

Very interesting thread. Kapperdog I would just like to say that you have a really good attitude about this whole thing. I would have probably freaked out if this happened to me. I have learned a lot from this thread. THis is the first time I have actually seen logs of a hack and what they were trying to do. I am new and very much interested in what he was trying to do. I can't make a whole lot of sense of what he was doing besides some of the obvious stuff such as creating himself as a user and disabling netbios and other various things but there is a lot of the code that I don't understand. I was wondering if anyone might give a brief description of what exactly the hacker was doing or trying to do. Thanks


coVert

Ah, just kids havin' fun.

I wouldn't suggest ZA on a LAN, it has crap NetBIOS support....I use Outpost from www.agnitum.com
You can set netBIOS to Work only on a specific IP range or a list of IP's, it sure made my life alot better :)

As for the whole format you drive stuff, forget it, your system hasn't been Broken wide open. They found a small hole which you'v closed, nothing to worry about, looks like you found out before they started uploading data. Oh well, your safe for another day :) Just get a firewall, undo the reg's and delete their data and you should be sorted....I suggest you get spyBot search and destroy while your at it, it's free and should be able to pick up on any rooting kit's or hacking tools still left on your system :)
Hope every thing works out.

- Noia

In for a little comic relief?

As expected, I'm pouring over this box looking for abnormal characteristics and I find a zip file with a name a mile long that sure looks like a hackers file. I mean c'mon, who else would start a file name with "avenge"?

avenge$201.5$20microdefs2_microdefsb.feb_symalllanguages_livetri.zip

Well, being a little paranoid, I am afraid to open the file so, I copy it to a floppy and take it to an old box I used to use to play with virii and stuff.

Had to laugh my ass off when I discovered that avenge could also stand for anti virus english. LMAO

You would think Norton would know better than to scare me like that. LMAO

I have had the server up for a day and, although the firewall is getting hit pretty heavy, I think the skiddies might have left in search of an easier box.

I have restarted Savant to see if there are any attempts directed at that.

Any suggestions for a good proggy to watch my ports.

Right now, I'm just using netstat but, I used to have a proggy in the past called portmon that had a few more features.

Any suggestions on a current monitor?

Anyone recognize this.......


217.88.188.12 - - [20/Feb/2003:13:42:59 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\" 403 259
217.88.188.12 - - [20/Feb/2003:13:43:00 -0500] "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\" 403 259

Kapperdog,

Great thread .. have reallly enjoyed reading and following this one.

I might be wrong but that looks like the classic Code Red, Nimda exploit - see it all the time in my apache logs. Your server is returning a 403 code, this is good :)

Google the first part of the string "GET /scripts/..%c0%af../winnt/system32/cmd.exe?" and you will find hundreds of links to info on this exploit.

Regards,

PP

Phat_Penguin is right, it is Code Red, my snot logs are full of these hits.

Quote:

---

length = 94

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 2f../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d
030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 ir r HTTP/1.0..H
040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne
050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A ction: close..

---

You may also see hits something like this:

Quote:

---

length = 72

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo
010 : 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT
020 : 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www
030 : 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c
040 : 6C 6F 73 65 0D 0A 0D 0A lose....

---

This too, is Code Red.

Your not running IIS, so you should be fine.

Cheers:

Some of you have given some VERY bad advice here. Having the hacked PC as the DMZ host doesn't disconnect the hacked machine from the rest of your network with home routers. All it does is forward all ports to the IP address you've specified as the DMZ host. Because of this, the other PC's on the LAN can be compromised very easily using the DMZ host, once it's been hacked. To do this, all the hacker would have to do is determine the DMZ host's real IP address, and from the hacked host, scan the same subnet for any more PC's that respond. Then ordinary netBIOS exploits can be used if the network is based on windows PC's. I know this because I used to do nasty things like this a couple of years ago. Even if the other PC's are firewalled, chances are the DMZ host will be trusted to maintain connectivity with the other PC's on the LAN. As proof of this, one of KapperDog's posts says after installing ZA on the compromised PC, it's getting lots of traffic from the other machines on the network. This shows the DMZ host is not isolated from the rest of the network.

The proper advice would be to firewall the other PC's, and don't let any traffic from the compromised host into the other computers. Personally, If I was going to learn from this, I'd leave the hacked PC as the DMZ host, and firewall it off by putting firewall software on the other computers, and specifically blocking the DMZ IP address. Then the hacker can do as they please whilst your other PC's are protected. Doing anything else puts the other PC's at risk, if they are discovered. I'd also consider putting firewall software on the compromised machine, but allowing all traffic from all addresses, and having a rule to specifically block outgoing traffic to the router's IP address so the router is unreachable from the hacked PC. This is to prevent any settings being changed, which could make the situation worse.

Just my opinion...

Quote:

---

Any suggestions for a good proggy to watch my ports

---

I have tried a ton of NetStats like software and I consider NeoMonitor as the best. It works fine and it have some interesting side features.
Just my 2 cents.

KC

Yeah, Neomonitor is nice.

This was a great thread to read over, and lemme add something to it, before it dies off.

Over the last 2 days, I've had people, from french isp's, trying to access my machine via port 21 according to ZoneAlarm, just though that was ironic.

Pretty weird, I'd say.

Probably just random port-scans and idiot skiddies trying to "hack" my box.

All i know is, I don't know what I did to piss off France, but they really wanna get in, heh.

LMAO My 2 year old version of Neomon is still the current ver. That's great.

Beryllium9, I wouldn't say anyone gave bad advice. A lot of different things have been said in this thread. I appreciate being able to learn from all of them.

However, what you say certainly makes a lot of sense.

I especially like your description of how you would set it up. I'm just a newb but it sounds very logical to me.

What do you other folks think?

I'm curious Bery, what webserver software would you use? (Win based).

Sounds like ur being tested in the 1st phase, looks like they wanted u to know u were open to attack, they already looked around found nothing they needed and decided to make u nervous. They may be back but doubtful. But u are aware of ur weakness now so when u think u have it secure let me know and Ill send a bot at u.

Windows-based web servers is a hard one. I've not had much experience with them, apart from the dreaded IIS, and apache. None of them seemed to perform as well as apache under *NIX though. Someone else would be better advising on what web server to use under windoze than me, I'd be out of my depth here. :)