[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IRC servers -- Hacked

To: <packeteer-edu@lists.Stanford.EDU>
Subject: IRC servers -- Hacked
From: "Scott Thomas" <scottt@em.cortland.edu>
Date: Thu, 16 Jan 2003 10:21:49 -0500
Sender: owner-packeteer-edu@lists.Stanford.EDU
Thread-index: AcK8/6YvK2fDaqJvRvqKYwelRWSGZwAF3mfQABSmkLA=
Thread-topic: IRC servers -- Hacked

Due to a number of requests I am posting a summary of the actions we
have taken here to find these machines.

Usually these are win2k boxes, with SP2 or worse.

Generally you can look in the services applet to see if the firedaemon
is running.
If you have no icons inside of the administrative tools, chances are you
have been hit.
You can get to the services applet by typing the following in the run
line.

mmc c:\windows\system32\services.msc

You can also do a windows search for firedaemon.exe   [see last line of
message for another program to look for]

If found do not delete !

You will need it to remove the rogue installed services.

Kill all of the services that run under firedaemon in the services
applet.

(here they are usually called ntsysvers, sec, runbatch, svchost and show
up as:
Firedaemon service : ntsysvers

If you right click and go to properties, you can locate where the server
is running from.
(usually inside of winnt\system32\rundll)  you may need to change your
view settings to see hidden and system files.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Other tools that are handy to have on a network drive and use are...
Fport.exe			http://www.foundstone.com
Process explorer		http://www.sysinternals.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


From a command line navigate to this folder where firedaemon.exe is
located and type in
Firedaemon -u xxx  (where xxx is the name of the service you found
running under the firedaemon service)



You can then delete all files in that folder that relate to the hack
(usually you can look by date)
Other files such as mybot.msg will be there too.
Be careful not to delete anything that is a critical windows file !


We have found a few machines that also had an administrator account
called localadmin created in the administrators group.
You can safely delete that.  I would also reset the administrator
account password.

Then upgrade to the newest service pack and critical updates and you
should be all set.

How did they get in ?  I have no idea, could be blank administrator,
could be open microsoft hole that gets patched in critical updates...
If you find out, let me know.


In extreme cases, they used the local security settings applet to change
the local policy, user rights assignment to change who can log on to
that computer over the network.

Lastly, we have been seeing an influx of the program called dameware.
They use this as a hack point to bounce from the machine they hacked to
hack another and make themselves untraceable.
-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo@lists.stanford.edu
with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.  Archive
is at http://www.stanford.edu/group/networking/netlists/

Follow-Ups:
- RE: IRC servers -- Hacked
  - From: "Dale Haman" <dhaman@umary.edu>

Prev by Date: Irc servers -- Was :Anyone know what TCP port 59 is used for?
Next by Date: RE: IRC servers -- Hacked
Previous by thread: Irc servers -- Was :Anyone know what TCP port 59 is used for?
Next by thread: RE: IRC servers -- Hacked
Index(es):
- Date
- Thread