Home > Articles > Programming > Windows Programming

  • Print
  • + Share This
From the author of

Owned by Joe, Mary, Pete, and I Think My Mother

Once I had the results of my directory listing in front of me, I had to laugh again. In fact, I was so astonished that I called my client back and told him, "You know that Exchange server? I think you are the only person on this planet who doesn't own it!" From just a quick scan, I concluded that the server had been owned no less than 10 times. Listing 5 shows just some of the folders that contained root kit files.

Listing 1-5: Folder Listing Containing Root Kits

C:\scripts.bat
C:\temp\win.asp
c:\inetpub
c:\inetpub\scripts
c:\inetpub\wwwroot
c:\inetpub\mailroot\drop\temp
c:\winnt\system32
c:\winnt\system32\sysstat

However, what really got my attention was the folder listing in Listing 6.

Listing 1-6: Directory of c:\RECYCLER\system\winnt\test\system2

10/26/02 04:48a    <DIR>     .
10/26/02 04:48a    <DIR>     ..
10/24/02 03:49p    <DIR>     +01 # I N F U S i O N #
10/24/02 03:50p    <DIR>     +02 H4x0r3d, Scann3d, & 
FiLL3d by THC
10/24/02 04:00p    <DIR>     +03 APPZ
10/24/02 04:24p    <DIR>     +04 BOOKZ
10/26/02 04:49a    <DIR>     +05 GBA
        7 File(s)       0 bytes

Upon further investigation, I discovered that these folders held about 3GB of illegal warez, mostly consisting of more than 500 GameBoy Advanced ROMs. Based on the dates of the folder/file creations, I thought I had found one of the main reasons the Internet was slowing down. Further investigation of the server revealed that it was also infected with the Nimda worm, which was actively sending out thousands of probes to the Internet as it looked for other targets.

At this time, I once again called the owner and administrator and told them that they should unplug the server and format it completely and thoroughly. I told them that they were hosting illegal files and that it could be a liability for them if they didn't remove it immediately. We discussed options for using firewalls, redesigning their network using a router and NAT-based protection, and ensuring that the new installation did not included the Web server and did include all required patches and service packs. This done, I hung up and started collecting information from the server while it was still up. In particular, I went looking for log files and all the scripts and root kits that were installed by the legion of hackers who owned the computer. It was during this research that the lights went out on the server.

  • + Share This
  • 🔖 Save To Your Account