I have been violated!

[tolstoy]

Recently I have found an app called NTAdminRights.exe in the root of my C: Drive on one of my IIS servers in my DMZ. I am running on the assumption that this prog got there via and IIS exploit (that is the only world accessible service on this box, and of course, the root of C: is world writeable), and that whoever put this porg there did not get a foothold on the box itself since whoever he or she was, they left the damn thing there in plain sight. I could, however, be very wrong about all of this.

Whatever the case me be, I decomplied the program to produce the code below. Being a lowly sysadmin and not a programmer, I have no way of telling what the code does or tries to exploit. Can anyone help me out to this extent? Some of the comments in this code were most likely created by the decompiler.

Any help would make you god-like in my eyes.

[UpperCell]

First off, that codes out

Some guys here could work the binary with a debugger (and proper motivation of course), but don't upload it, that would be bad.

I can't find anything on this site, google, or security focus regarding 'NTAdminRights.exe'. Though the names not hard to change. An AV may ID it. Maybe run the binary on a junk box with no network connection to see if it gives some info.

THE FOLLOWING IS MY OPINION, WAIT FOR A DOZEN MORE POSTS OR SOME PROFESSIONAL ADVICE BEFORE PROCEEDING IF YOU HAVEN'T ALREADY DECIDED ON A COURSE OF ACTION.

My company doesn't mess around with this sort of thing. Check the backups for the file, if there clean, restore them. If there not, you've got a mess. We'd play it by ear. You shouldn't if your not confident. Wait for some more posts or get some proffessional consultation. It may, after all, be nothing.

I'll post more if I catch any more info.

Jon.

[slarty]

Please remove the huge listing - it isn't helping anyone. Save it as an attachment if you really must.

This decompiler is clearly useless. It would be more legible if it was simply disassembled.

You really need to image all your discs immediately and then scrap everything and start restoring from backups... I hope you like late nights.

Slarty

[Net2Infinity]

Does this server happen to be running Coldfusion?

[Tiger Shark]

Since nobody seems to know what "it" is _and_ "it" doesn't come up on Google _and_ you have the entire C: drive "world writable", (WTF were you doing there..... Someone else set up the box.... You were never asked to check it..... now this crap has fallen in your lap..... heard it before...... ), I would strongly suggest Slarty's remedy. However, before you even think of redoing the box let alone connecting it to the internet I would suggest you go to M$'s site and read the security section from top to bottom and do everything that they say to do. The read some here and do the things M$ missed......

[Tedob1]

my guess would be that it either uses named pipes to give an accout someone has control of admin rights or it is used to pipe commands to be run threw a device that already runs as admin/system. either way the **** has already hit the fan.

you can only guess at what they have done if they got admin. but this vulnerability was fixed, i believe in sp2/3. if the service packs have been keep up with and this happened a long time ago the fixs wouldn't close any back doors that were created.

if the file was recently put on then my guess would be it was pretty much usless to them but the fact remains that access was obtained.

theirs so many things that could have been done its not worth chanceing it. swipe it clean, thats the only safe path. getting educated is never easy

[tolstoy]

To answer Net2Infinity's question, this box is running cold fusion.
Also, this box is at the most current service packs and hotfixes, and usually recieves these within a few days of their releases.

I've removed the code from the original post at the top of this thread, as its presence seemed to offend some.

[Tedob1]

your code didn't offend me i just hit 'end' and worked my up from the bottom but i hope my post didn't offend you. i got the impression you inherited caring for this box from a previous owner. many thing can make someone's status "previous"!

ill be interested to see what Net2Infinity has to say.

[steve.milner]

I'd be interested in a copy of the original file.

Can you PM it to me please.

Steve

[tolstoy]

I did the install for the box myself, but an outside vendor has been taking care of it for the most part (they have a DB app on it that runs off ColdFusion). I hate to admit it, but other than staying up to date with virus updates and patches for the software on the box I maintain, I don't usually do much else to lock the OS down, like changing file system permissions. (I do use IIS lockdown, when I can, and something else that M$ whenever possible). I would love to have the luxury of spending all my time locking down boxes and auditing them, but between managing a few hundred desktops, a few dozen servers, and a help desk staff, a lot of things that need to happen just don't.

Since I found thsi app however, I have been audinting as much as possible on the box at the file level, and watching all traffic to and from the box with tcpdump and logging it at the firewall. This of course, generates a lot of activity, but it's the only way I can thing to see what is possibly going on and what might be happing that is out of the ordinary. We have a pretty tight ruleset on our firewall, so anything out of the ordinary that happens from this point forward should show up. This of course assumes that the intruder inquestion has not moved from this box to others.

I have run the NTAdminRights.exe executable on a junk box while running both regmon and filemon from sysinternals, and can either post or pm their output if anyone is interested in seeing it.

One line of interest (to me, at least) in my regmon dump is this

7486 68.67093136 CSRSS.EXE:448 QueryKey HKCU\Console BUFOVRFLOW

At this point I would just like to know what this app is trying to exploit so that I can determine whether or not we were aptched against it.

This box is fairly isolated in a DMZ with a bunch of other web servers of different platforms. If someone has a foothold on it, it would take some more work to get to the LAN, but that possibility is not out of reach.

Like I said, I am still under the belief that someone got this app onto the box through accessing IIS or ColdFusion (as stated by Net2) from the internet, or by making a lateral move from another web server on my DMZ. If they really had a foothold on this box, wouldn;t they have deleted the tool they dropped there?