Published April 7th, 2003 by Jim O'Halloran
Increase in “Hacking” activity
I think I’ve now got my head in order enough to try and explain what I’ve been seeing with our client systems, and whats keept me too busy to blog for the last week or so… In the last week or so we’ve noticed a big increase in compromised machines within our client base. We’ve confirmed 7 machines compromised in the last week, which is a real worry. All machines run NT4 and are directly connected to the internet via a permanent dialup 56k modem. Most of these seem to be in Melbourne and Brisbane, where the sites would be on the same POP in each city, and therefore in a similar IP address range. Which suggests to me they’ve been picked up in a scan of a large block of IP addresses.
Normally, the first sign of a compromise is that the shared printers on that machine no longer function correctly, and this has an immediate impact on our software. One site has also observed that the machine appears to be under the remote control or an unauthorised third party at times.
Once “compromised” these machines seem to end up with a fair collection of tools installed, many of which I can’t identify fully, but the list includes…
- DameWare Remote Control
- X-Scan network vulnerability scanner.
- FireDaemon to install and run normal processes as services.
- Serv-U FTP Server.
Some machines also seem to have some sort of IRC bot, which suggests that they’ve been set up to be used as IRC XDCC file servers, or that they’ve been zombied for use in DDoS attacks. The IRC XDCC document offers a suggestion on how these machines might have been compromised, and what the machines might be being used for…
In this I noted the most common method people are using. Firedaemon will always be used, these hackers need to restart their programs each time you reboot. But, more sophiscated kids might employ other methods to scan or install these services. There are the ‘rootkits’, which are programs that auto mate the entire process. A hacker types in a range, and it will automatically scan for the vulnerability, copy files, run them, and secure they system, then move on.
On some systems, I can see logs which indicate that the machine has been used to scan another block of IP’s, usually looking for an open port 1433 (MS SQL Server). This is interesting, because scanning for port 1433 suggests that the “intruder” on my machine is getting in via MS SQL Server (which is installed on these machines), and is looking for other machines to compromise. However, the IRC XDCC hacking document referenced above suggests compromise via windows networking, not SQL Server. Maybe either is possible, but we need to look at securing both just in case.
When I’ve been looking at these machines I’ve been looking for files in c:\winnt\system32, c:\winnt\system32\drivers, c:\winnt\system32\drivers\etc, and c:\recycler which don’t belong. Files that don’t belong can usually be identified by a modification date which is more recent than the build date of the machine (in this case 31-1-01) which don’t seem to relate to any apps installed since the build (in this case that’s only Quicktime).
When you go into c:\recycler you’ll usually see two folders with recycle bin icons, 1 per usuer named with the users SID (i.e. S-xxxxx-xxxxx-xxxxx type file names). Anything else in the recycler directory is out of place.
So where to now??? First thing is to grab two machines and build them up from the ghost images we have and see if I can identify how someone might get into the machines. after that add hotfixes, service packs, and tune the security policy until I can’t get in anymore. Improving security policy probably means seeing if we can un-bind Windows Networking, and MS SQL Server from the dialup adapter, if they aren’t already. If anyone has got any other suggestions, please let me know!
I’d love to be able to shove the whole lot behind a Linux firewall or a dedicated router box, but thats not possible at the moment.
I’m blogging this mainly to help collect my thoughts on what’s been happening, and to solicit feedback from anyone who might have had similar problems recently. If this helps out anyone who’s seeing similar things, that’s great!