[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000201c360ce$a765ec30$94280a23@troylaptop>
Date: Tue, 12 Aug 2003 08:38:38 -0400
From: "Troy Murray" <murrayt5@....edu>
To: <MSUSEC@...T.MSU.EDU>, <MSU-SECURITY@...T.MSU.EDU>,
<bugtraq@...urityfocus.com>
Subject: RE: Microsoft RPC DCOM exploit descriptions
Internet Security Systems (http://www.iss.net) has released a scan tool to
check for the MS03-026 patch on Windows servers. I've downloaded and run
this tool, command-line only, on my servers and it reports correctly that
they are patched. Running a scan on the 35-10.40.x range though yields 5
systems that are not patched. Not sure if there is a way to track down who
they belong to or not to get them patched.
You can grab the tool here:
http://www.iss.net/support/product_utilities/ms03-026rpc.php
-----------------------------------
Troy D. Murray
Michigan State University
College of Human Medicine
Department of Medicine
Immunohematology and Serology Laboratory
B228 Life Science Building
East Lansing, MI 48824-1034
(E) murrayt5@....edu
(P) 517.432.3545
(F) 517.353.5436
(W) http://msuhla.chm.msu.edu
MSN: troymurray@...mail.com
AIM: troymurray72
-----Original Message-----
From: owner-msusec@...t.msu.edu [mailto:owner-msusec@...t.msu.edu] On Behalf
Of Joe Budzyn
Sent: Tuesday, August 05, 2003 8:56 AM
To: msusec@...t.msu.edu
Subject: Microsoft RPC DCOM exploit descriptions
The following exploit descriptions are from the fine folks at Purdue
University. These computers were hacked using the Microsoft RPC DCOM
vulnerability.
I have seen at lest one machine on our campus that matches Variant #1 so
far. Please keep in mind that even if a computer does not match either
variant below, it may still be hacked.
As with any sort of post-hacking recovery, please use caution. The
instructions involve steps which may damage an installed operating system. I
have not tried to recover a computer with these instructions and can make no
guarantees.
Joe Budzyn
--
Joe Budzyn
Michigan State University - Incident Response Team
Phone: (517) 355-4500 x162
http://www.security.msu.edu
abuse@....edu
Exploit Variants:
----------------------------------------------------------------------------
----
Variant 1
The following file is uploaded to vulnerable systems:
%WINDIR%\system32\NX.EXE
This file is a Paquet Builder self-executing (SFX) file.
When executed on the compromised machine, the SFX creates the following file
structure:
%WINDIR%\system32\qossrv
- - v1.0D (Haley) -
- aysshell.exe
- cdir.txt
- csrss.exe
- FireDeamon.exe
- libeay32.dll
- mswinsck.ocx
- pskill.exe
- secure.exe
- ServUPerfCount.dll
- setup.bat
- ssleay32.dll
- wget.exe
- WinExplorer.dll
- winmgnt.exe
After uncompressing these files, the SFX file is instructed to launch the
file %WINDIR%\system32\qossrv\SETUP.BAT to install additional files and
services, as well as reconfigure DCOM. Even though SETUP.BAT runs from the
command line, it is not seen by the user.
Using the UPX unpacker the content of these files is:
winmgnt.exe -- Serv-U Mini-FTP server
csrss.exe -- pAdmin utility with H|TTP and DCC capabilities
Secure.exe -- Possibly a secure shell? No good clues from strings
output. Appears to reference VBA libraries
After SETUP.BAT executes, the following files can be found:
%WINDIR%\system32
- securedcom.reg
- securedcom.reg.1
%WINDIR%\system32\qossrv
- aysinstlog.txt
- securedcom.reg
- secure.bat
- go.bat
- SystemUptimeLog.ocx
In addition, three services are installed using aysshell.exe. This is a
utility by Prism Microsystems called At Your Service that allows a user to
easily run almost any executable file or script as a service. Information
on this product can be found at:
(http://www.prismmicrosys.com/atyourservice/atyourservice-index.htm)
This is used to launch csrss.exe, secure.exe, and winmgnt.exe as system
services. The services can be viewed in the Services Console in Windows
2000 or Windows XP are as follows:
"NTF" (this is WINMGNT.EXE)
"NTP" (this is CSRSS.EXE)
"NTS" (this is SECURE.EXE)
WINMGNT.EXE is the executable for ServU-FTP. ServU-FTP is popular for this,
as it is compact, and easily portable from machine to machine. It listens
on ports 5555 and 48522. Checking for connections on these ports is also
recommended.
What calls GO.BAT or SECURE.BAT is undetermined, but both of these batch
files simply import the securedcom.reg into the local registry. This
disables the DCOM service.
After this is complete, the "Computer Browser" and "Server" services are no
longer running. They can be manually started, but do not run as expected on
system boot up.
How to clean machines infected with variant 1:
Stop the Services:
Net Stop "NTP"
Net Stop "NTS"
Net Stop "NTF"
Unregister the OCX Files:
regsvr32 /u /s %WINDIR%\system32\qossrv\mswinsck.ocx
regsvr32 /u /s %WINDIR%\system32\qossrv\systemuptimelog.ocx
Delete the Files:
del %WINDIR%\system32\nx.exe
del %WINDIR%\system32\securedcom.reg
del %WINDIR%\system32\securedcom.reg.1
del %WINDIR%\system32\qossrv\*.*
Remove the Directory:
rd /s /q %WINDIR%\system32\qossrv
Delete the Registry Value:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NTLDM
Delete the Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTS
HKLM\SYSTEM\CurrentControlSet\Services\NTF
HKLM\SYSTEM\CurrentControlSet\Services\NTP
HKLM\SYSTEM\CurrentControlSet\Services\NTS
Note : Some registry entries may be installed with special
permissions so that only the SYSTEM has full control. To remove them, right
click on the entry, click permissions, and give everyone full control. You
will then be able to delete them.
Modify the following Registry Key:
HKLM\Software\Microsoft\Ole\EnableDCOM=Y
Restart the Services:
NET START "Server"
NET START "Computer Browser"
----------------------------------------------------------------------------
----
Variant 2
The services created by variant 2 are TCPIPenum, NTLMsDB, and IPconfig
Payload is installed in WINNT regardless of your actual Windows folder.
Administrators may wish to hand clean these folders as they may contain
essential items. Also Note that the folders themselves have both the hidden
and system attributes. You may need deltree which is included in the cleanup
package in case you don't already have it.
The following files must be deleted:
C:\WINNT\system32\config\aysshell.exe
C:\WINNT\system32\dhcp\csrsslsrms.dll
C:\WINNT\system32\dhcp\explorer.exe
C:\WINNT\system32\dhcp\fport.exe C:\WINNT\system32\dhcp\igfxtray.exe
C:\WINNT\system32\dhcp\nc.exe C:\WINNT\system32\dhcp\ntlmconf.dll
C:\WINNT\system32\dhcp\pskill.exe C:\WINNT\system32\dhcp\pslist.exe
C:\WINNT\system32\dhcp\rar.exe C:\WINNT\system32\dhcp\reg.exe
C:\WINNT\system32\dhcp\rmns.exe C:\WINNT\system32\dhcp\service.exe
C:\WINNT\system32\dhcp\SystemUptimeLog.ocx
C:\WINNT\system32\dhcp\tlister.exe
C:\WINNT\system32\dhcp\wget.exe C:\WINNT\system32\dhcp\winexplorer.dll
C:\WINNT\system32\dhcp\home\tar.exe
C:\WINNT\system32\restore\binary.gif
C:\WINNT\system32\restore\compressed.gif
C:\WINNT\system32\restore\csrss.exe
C:\WINNT\system32\restore\del.gif C:\WINNT\system32\restore\dir.gif
C:\WINNT\system32\restore\folder.open.gif
C:\WINNT\system32\restore\image1.gif
C:\WINNT\system32\restore\image2.gif
C:\WINNT\system32\restore\movie.gif
C:\WINNT\system32\restore\MSWINSCK.OCX
C:\WINNT\system32\restore\pdf.gif C:\WINNT\system32\restore\pskill.exe
C:\WINNT\system32\restore\reg.exe C:\WINNT\system32\restore\script.gif
C:\WINNT\system32\restore\service.exe
C:\WINNT\system32\restore\sound2.gif
C:\WINNT\system32\restore\tar.gif C:\WINNT\system32\restore\text.gif
C:\WINNT\system32\restore\unknown.gif
%windir%\system32\securedcom.reg
%windir%\system32\wge.exe
The following registry entry must be removed:
Registry Value:
HKEY_LOCAL_MACHINE\software\microsoft\windows\current_version\run\QoSs
rv
$ (runs %windir%\system32\restore\csrss.exe)
Registry Keys:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\root\legacy_tcpipenum
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\root\legacy_ntlmsdb
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\ipconfig
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\TCPIPenum
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\NTLMsDB
Powered by blists - more mailing lists