About | Buy Stuff | News | Products | Rants | Search | Security | Social
Home » News » Roundups

Server attacks stump Microsoft

September 5, 2002
Hackers are having a party with MS stuff - and MS can't figure out how they do it.

Subject: Server attacks stump Microsoft
   Date: Thu, 5 Sep 2002 14:29:54 +0100
     To: <full-disclosure@lists.netsys.com>

The information in this article applies to:
  a.. Microsoft Windows 98
  b.. Microsoft Windows 98 Second Edition
  c.. Microsoft Windows Millennium Edition
  d.. Microsoft Windows NT Workstation 4.0
  e.. Microsoft Windows NT Server 4.0
  f.. Microsoft Windows NT Server, Enterprise Edition 4.0
  g.. Microsoft Windows 2000 Professional
  h.. Microsoft Windows 2000 Server
  i.. Microsoft Windows 2000 Advanced Server
  j.. Microsoft Windows 2000 Datacenter Server
  k.. Microsoft Windows XP 64-Bit Edition
  l.. Microsoft Windows XP Home Edition
  m.. Microsoft Windows XP Professional

SUMMARY
The Microsoft Product Support Services (PSS) Security Team is issuing an
alert about an increased level of hacking activity that the PSS Security
Team has been tracking. The activity seems to involve similar hacking
attempts. These hacking attempts show similar symptoms and behaviors. The
PSS Security team has isolated the major similarities. This article lists
these similarities, so that you can take any appropriate action to:
  a.. Detect these hacking attempts.
  b.. Respond to any hacking attempts you detect.

MORE INFORMATION
Impact of Attack
Compromise of computer, denial-of-service because of security policy
changes.

Symptoms
You may experience one or more of the following symptoms:
  a.. Possible detection of Trojans such as Backdoor.IRC.Flood and its
variants. This might include related Trojans with similar functionality.
These Trojans may not necessarily be detected by your antivirus software
after the hacker has made modifications to your computer.
  b.. Modification of the security policy on domain controllers. Some of the
possible effects of a modified security policy are:
    a.. Previously-disabled guest accounts have been re-enabled.
    b.. Changed security permissions on your servers or in Active Directory.
    c.. No one can log on to the domain from the workstations.
    d.. Cannot open Active Directory snap-ins in the MMC.
    e.. Error logs show multiple failed logon attempts from legitimate users
who were locked out.

Technical Details
Finding any backdoor Trojan indicates that the server is extremely
vulnerable to privilege escalation and hacking.

The following files and program have also been found on the computers that
have been compromised:
  a.. Gg.bat

  Gg.bat attempts to connect to other servers as 'administrator', 'admin',
or 'root'. It then looks for Flashfxp and Ws_ftp on the server, and then
copies several files including Ocxdll.exe to the server. Gg.bat then uses
the Psexec program to execute commands on the remote server.
  b.. Seced.bat

  Seced.bat changes the security policy.
  c.. Nt32.ini
  d.. Ocxdll.exe
  e.. Psexec
  f.. Ws_ftp
  g.. Flashfxp
  h.. Gates.txt

If these files are found on your computer and they were not installed by you
or with your knowledge, run a thorough virus scan with an up-to-date
virus-scanning program.

Prevention
As of August 2002, the PSS Security Team has not been able to determine the
technique that is being used to gain access to the computer. However,
because of the significant spike in activity, the PSS Security Team has
determined that these techniques are similar and/or automated in some cases.
Fully-patched computers that follow security best practices provide the best
protection from hacking or other malicious software.

Recovery
Because of the nature of hacking, there is almost no way to fully certify a
computer as 'clean' of all malicious software or changes that are made
during the hack. If you are sure you have been hacked, Microsoft recommends
you consult the CERT documentation about how to recover from a root
compromise:

  http://www.cert.org/tech_tips/root_compromise.html

If you believe that you have been hacked, you may want to contact your legal
counsel or law enforcement about your legal options.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.