Results 1 to 10 of 10

Thread: Millenium Backdoor?

  1. #1
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840

    Millenium Backdoor?

    I'm scanning a website IP for potential vulnerabilities (I'm admin to that website,). I noticed 33 open ports, but most of them are ports being used by legit programs, including SSH and FTP. On thing that smells fishy though is port 20000 and port 20001. Its telling me port 20000 is being used by Millenium and 20001 is being used by Millenium backdoor. I clicked on it for more detail and this is what it gives:

    20001 : Millennium backdoor
    Port type TCP
    TCP Protocols HTTP
    Version HTTP/1.1
    Server Indy/9.00.10
    Redirect detected Yes

    What do I make of that information? Is it telling me that its connected to a server and communicating with it?

    Also, a little more research on Millenium Backdoor results in this:

    Name: Millenium
    Aliases: BackDoor-L.srv, BackDoor-L.vli, Backdoor.Millenium,
    Ports: 20000, 20001 (ports can not be changed)
    Files: Milleniumtrojan.zip - 84,250 bytes Millenium2.zip - Client.exe - 164,352 bytes Client.exe - 198,144 bytes Server.exe - Spy.exe - 48,128 bytes Blonde.exe - Reg66.exe - Comctl32.ocx - 604,432 bytes Icqupdate.exe - 54,272 bytes Hool.exe -
    Created: Nov 1998
    Requires:
    Actions: Remote Access / Keylogger. Alters Win.ini. Is been disguised as a Y2K system updater.
    Versions: 0.9, 1.0, 2.0 beta,
    Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Notes: Works on Windows 95, 98 and NT. Spy.exe is said to be infected with the malicious virus Win.CIH from Taiwan.
    Country:
    Lenguage: Written in Visual Basic.




    Is it vital for me to contact the hosting company ASAP? It also shows 21 Vulnerabilities which I'll be contacting them on (RPCs and Buffer Overflows for Apache, and OpenSSH) Any help would be greatly appreciated. One more thing, as I continue gettting more and more involved with Network Security and Forensics, I try to learn as much as possible. I can figure out ways to find the vulnerabilities on the targets, but how do you exploit them. Don't answer it here, if you want to help, please PM me instead.

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Dnp?

    According to http://www.iana.org/assignments/port-numbers

    dnp 20000/tcp DNP
    dnp 20000/udp DNP

    It could also be DNP. (Which I am trying to figure out what it is)
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    But why's it tellin me Millenium Backdoor on it? One window shows the Port# the other one tells me what process is using it at the moment.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Since you probably aren't running DNP 3.0 or less on this server, (but you might want to check with the provider), I would suggest that this is, indeed, a bad thing.....

    However, I think this is worse than bad......

    I think that you are scanning from outside, (since you say you will contact the provider), correct me if I'm wrong.....

    That being the case 33 open ports is a hell of a lot for a provider to allow to a single host. The fact that a port like 20000 is available from outside indicates either that the box is unfirewalled or that it is firewalled with a piece of swiss cheese, (which would be bad too... ). I would be asking some fairly serious questions about the firewall.... One i would ask is "Can I see the firewall logs for this host on xx/xx/04".... It's a pleasant way of seeing if they know what they are doing.....

    In any case, 20000-1 should not be open to the world.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Also ask for the maintanence log of the server, they should easily be able to provide an up to date list of all of the changes made by the admins. Documentation is extremely important but most people just "don't have the time".
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    I'll let cheyenne know about it. He's the one in contact directly with them. Thnx very much for the responses.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    KorpDeath is a Genius.....
    KorpDeath is a Genius.....
    KorpDeath is a Genius.....

    If you are serious about this business, (security), being on the cutting edge, is important. But you can't cover _every_ last thing.... There's going to be a mistake somewhere or something that you couldn't foresee that will bite you somewhere painful.

    At that point you have two choices:-

    1. Sit back and say "wtf"
    2. Go through the logs and find out what happened.

    I'm a big proponent of number 2. Number 1 is plain embarrasing when the CEO asks the same question number 1 did...

    Granted you can't log every last packet across your network, but you can log "high risk" systems heavily, you can log all "allowed in" at the firewall, you can have an IDS logging "odd" stuff, you can log web, smtp and ftp stuff etc. etc. etc. It really doesn't take that much disk space if you run it to text.....

    But when the poop hit's the proverbial fan you may be able to go back and link some things together that tell you some of what happened...... It might be the difference between reformatting every machine on the network and just reformatting a few......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Now this webserver also contains many other webservers on it with other services running besides a apache web server. For instance the webserver we have on this box is linked to another box that is running a live stat program for game servers. Would it be possible that the port scanner is mis identifying a port as a trojan??
    =

  9. #9
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    33 ports! Sweet crap in the morning. I can't think of 33 services that I would willfully provide to anyone!
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  10. #10

    Arrow

    Ports 20,000 could be millenium, PSYcho files or xhx
    ports 20,001 could be millenium, psycho files or insect....

    what firewall are you running? also, where did you get the info that millenium is the actual program installed

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •