Server Hacked, FTP Servers Installed, Help Please

[GD695372]

After swapping out a production web server, we noticed two rogue services on the server. These were ftp servers running under other names(dns server and dhcp server). We've been able to locate some of the config files for one of the ftp servers and would like to log in and see what the servers were providing access to. We do have the user names and password hashes, but unfortunately have been as of yet unable to decrypt them. We believe that these are md5 hashes. Following are a few lines from the config file:

LocalSetupPassword=072C63105200180D5C07170A7E3E


Password=wqAF6FBA47A94049C0D2C7CD54FA4DCD0C

[USER=MoMo|1]
Password=zm64E7F688C6D152C52EBF43EB4A0E9F5C

[USER=Alex|1]
Password=ztEE5F10002D07556C092037A66A2AE9F1

[USER=Chenli|1]
Password=qrC15CAD43367D7A38617CB399E30093DF

[USER=DNS|1]
Password=koA98B03814A6858A7601552D6A7AAA648

[USER=Eclipse|1]
Password=zi24A56515D6B703647BD7DDCB5DDDDDA2

[USER=Nice|1]
Password=quD4421B1C59B504C3E861E832F3D24385

Any help you could provide would be greatly appreciated.

Thanks in advance,
GD

 

[GD695372]

The servers appear to be Serv-U FTP Servers if that helps at all.

Thanks again,
GD

 

[bob4432]

contact serv-u and ask them, they would be the best to deal with since it is their product.

 

[n0cmonkey]

You can probably brute force the hashes. Maybe in a couple of years you can find that donkey pr0n they were trading.

If you have the configurations, look to see where the root is and start from there.

 

[nweaver]

can't jack the ripper break the hashes? I know a company that can brute force it...I saw the brute force a 10 digit UPPER/lowercase alpha-numeric password in 4 hours....DC client for CIA

 

[lansalot]

Forget trying to break MD5 hashes, that's just a waste of time.

Read the config files to find out where the home directories for those users are and go straight to them.

There's no mystery in that.

edit: if you are really 'doing forensics', then you definitely don't want to log in as any of their users, nor log in at all on that system. All volumes should be mounted readonly from (suggestion) a knoppix forensics CD. The moment you change a byte on that disc, you've tainted any evidence you wanted to keep.

 

[n0cmonkey]

Originally posted by: nweaver
can't jack the ripper break the hashes? I know a company that can brute force it...I saw the brute force a 10 digit UPPER/lowercase alpha-numeric password in 4 hours....DC client for CIA

John the ripper can, and there are some patches out there to make it distributed in nature. I think there is something similar too that is natively distributed.

 

[Czar]

md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for

 

[n0cmonkey]

Originally posted by: Czar
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for

That's a big database. It's available though. I played with the distributed computing project that broke it.

That's why no one uses md5 for passwords anymore.

 

[Czar]

Originally posted by: n0cmonkey

Originally posted by: Czar
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for

That's a big database. It's available though. I played with the distributed computing project that broke it.

That's why no one uses md5 for passwords anymore.

hehe, very true, do you know how big it was?

 

[n0cmonkey]

Originally posted by: Czar

Originally posted by: n0cmonkey

Originally posted by: Czar
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for

That's a big database. It's available though. I played with the distributed computing project that broke it.

That's why no one uses md5 for passwords anymore.

hehe, very true, do you know how big it was?

Supposedly they were planning on sending a copy to anyone that requested and paid a small fee (S&H, materials). They mentioned 200GB hard drives, but I don't have an exact number.

They also stopped as soon as they got a collision, so it's possible they're missing plenty of hashes. And the authentication system may use salts, which could possibly affect the use of other hashes.

 

[Czar]

Originally posted by: n0cmonkeySupposedly they were planning on sending a copy to anyone that requested and paid a small fee (S&H, materials). They mentioned 200GB hard drives, but I don't have an exact number.

They also stopped as soon as they got a collision, so it's possible they're missing plenty of hashes. And the authentication system may use salts, which could possibly affect the use of other hashes.

hehe ok maybe md5 is a little bit safer than I thought

 

[GD695372]

Thanks for all the responses everyone. I think we're just going to snoop around a bit. The reason we couldn't use the home directories was because they were all at the root directory on the c drive. The config gave them access to every drive c through z with full permissions. We haven't been able to find any files of note so far. I guess logging in wouldn't have helped anyway. Thanks for the md5 info, though.

The server was composed of the files Psinfo.exe, windowaudio.PNF, and winsocket32.ocx

Here's most of the config file (windowaudio.PNF) as we found it (we still haven't found the config file for the other ftp server):

[GLOBAL]
invisible=true
Version=3.0.0.17
...
MaxNrUsers=15
AntiHammer=1
PacketTimeOut=300
DirCacheEnable=0
AntiHammerTries=3
LocalSetupPassword=072C63105200180D5C07170A7E3E
LocalSetupPortNo=6423
SocketRcvBuffer=8192
SocketSndBuffer=8192
ProcessID=2300
[DOMAINS]
Domain1=0.0.0.0||6423|DNS's FTP Server|1
[Domain1]
User1=Alex|1|0
User2=Chenli|1|0
User3=1337|1|0
SignOff=c:\winnt\inf\signoff.txt
DirChangeMesFile=c:\winnt\inf\dir.txt
DirChangeMesFile2=c:\winnt\inf\dir.txt
ReplyHello=Welcome To DNS's FTP Server...
User4=MoMo|1|0
MaxNrUsers=20
LogSystemMes=0
LogSecurityMes=0
LogGETs=0
LogPUTs=0
LogFileSystemMes=0
LogFileSecurityMes=0
LogFileGETs=0
LogFilePUTs=0
User5=DNS|1|0
User6=Nice|1|0

Password=wqAF6FBA47A94049C0D2C7CD54FA4DCD0C
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
Access1=c:\|RALP
[USER=MoMo|1]
Password=zm64E7F688C6D152C52EBF43EB4A0E9F5C
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
Access3=E:\|RWAMELCDP
Access4=F:\|RWAMELCDP
Access5=G:\|RWAMELCDP
Access6=H:\|RWAMELCDP
Access7=I:\|RWAMELCDP
Access8=J:\|RWAMELCDP
Access9=K:\|RWAMELCDP
Access10=L:\|RWAMELCDP
Access11=M:\|RWAMELCDP
Access12=N:\|RWAMELCDP
Access13=O:\|RWAMELCDP
Access14=P:\|RWAMELCDP
Access15=Q:\|RWAMELCDP
Access16=S:\|RWAMELCDP
Access17=T:\|RWAMELCDP
Access18=U:\|RWAMELCDP
Access19=V:\|RWAMELCDP
Access20=X:\|RWAMELCDP
Access21=Y:\|RWAMELCDP
Access22=Z:\|RWAMELCDP
[USER=Alex|1]
Password=ztEE5F10002D07556C092037A66A2AE9F1
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[USER=Chenli|1]
Password=qrC15CAD43367D7A38617CB399E30093DF
HomeDir=c:
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[USER=DNS|1]
Password=koA98B03814A6858A7601552D6A7AAA648
HomeDir=c:
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[USER=Eclipse|1]
Password=zi24A56515D6B703647BD7DDCB5DDDDDA2
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[EXTERNAL]
EventHookDLL1=JAsfv.dll
[USER=Nice|1]
Password=quD4421B1C59B504C3E861E832F3D24385
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP

 

[Czar]

I googled RWAMELCDP
and came up with this, lots and lots of info
http://www.google.com/search?hl=en&q=RWAMELCDP&btnG=Google+Search

 

[Smilin]

1. Wipe the box. Don't try to un-hack it.
2. Secure your next box properly.

 

[Homerboy]

do a search for *.rar

 

[Czar]

Originally posted by: Smilin
1. Wipe the box. Don't try to un-hack it.
2. Secure your next box properly.

good move

 

[skyking]

Hmm, running a production webserver on windows..................

 

[GD695372]

This production webserver needs some software that has to be run under windows. Migrating to Linux isn't an option. The new server has been locked down as much as possible, and has already replaced the compromised one. At this point it looks like the ftp servers were never used, because they were blocked by the firewall. I think that they were installed by taking advantage of an IIS vulnerability. No idea what the vulnerability was, but hopefully the new server doesn't share the same vulnerability. As a long-term solution, I'm building a squid reverse-proxy to put in front of the web server. That should help somewhat. We fould out that the time of entry was only a few hours before we put SP4 on the server.

Thanks for all the help,
GD

 

[Smilin]

Originally posted by: skyking
Hmm, running a production webserver on windows..................

Not a problem. The problem lies in IMPROPERLY running a production webserver on ANY OS.

Spare us your MS, sorry M$, FUD.

 

[n0cmonkey]

Originally posted by: Smilin
Not a problem. The problem lies in IMPROPERLY running a production webserver on ANY OS.

Spare us your MS, sorry M$, FUD.

MS is a part of the problem though, but I hear newer IIS versions have saner defaults.

 

[jamesbond007]

Originally posted by: GD695372
We fould out that the time of entry was only a few hours before we put SP4 on the server.
GD

So you only recently put SP4 on there? SP4 for Win2K has been out a long, long time!!! Shame on you!

 

[Nothinman]

You could always put it back on the Internet and put a sniffer between it to catch the FTP passwords, it'll probably be a lot quicker than bruteforcing the MD5s.

 

[GD695372]

We've given up on brute forcing the passwords, and the ftp ports were never accessible anyway, thanks to the firewall. SP4 was put on the server a long time ago, but we only recently fould that it had been compromised. We hadn't bene paying much attention to it until we started configuring it's replacement.

 

[Smilin]

Originally posted by: n0cmonkey

Originally posted by: Smilin
Not a problem. The problem lies in IMPROPERLY running a production webserver on ANY OS.

Spare us your MS, sorry M$, FUD.

MS is a part of the problem though, but I hear newer IIS versions have saner defaults.

Sorry, not gonna blame MS if the guy admitted he didn't even apply the latest updates.