Server Hacked, FTP Servers Installed, Help Please

Toggle sidebar Toggle sidebar
G

GD695372

Senior member
Oct 24, 2000
386
0
0
After swapping out a production web server, we noticed two rogue services on the server. These were ftp servers running under other names(dns server and dhcp server). We've been able to locate some of the config files for one of the ftp servers and would like to log in and see what the servers were providing access to. We do have the user names and password hashes, but unfortunately have been as of yet unable to decrypt them. We believe that these are md5 hashes. Following are a few lines from the config file:

LocalSetupPassword=072C63105200180D5C07170A7E3E


Password=wqAF6FBA47A94049C0D2C7CD54FA4DCD0C

[USER=MoMo|1]
Password=zm64E7F688C6D152C52EBF43EB4A0E9F5C

[USER=Alex|1]
Password=ztEE5F10002D07556C092037A66A2AE9F1

[USER=Chenli|1]
Password=qrC15CAD43367D7A38617CB399E30093DF

[USER=DNS|1]
Password=koA98B03814A6858A7601552D6A7AAA648

[USER=Eclipse|1]
Password=zi24A56515D6B703647BD7DDCB5DDDDDA2

[USER=Nice|1]
Password=quD4421B1C59B504C3E861E832F3D24385

Any help you could provide would be greatly appreciated.

Thanks in advance,
GD
 
bob4432

bob4432

Lifer
Sep 6, 2003
11,726
45
91
contact serv-u and ask them, they would be the best to deal with since it is their product.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
You can probably brute force the hashes. Maybe in a couple of years you can find that donkey pr0n they were trading.

If you have the configurations, look to see where the root is and start from there.
 
N

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
can't jack the ripper break the hashes? I know a company that can brute force it...I saw the brute force a 10 digit UPPER/lowercase alpha-numeric password in 4 hours....DC client for CIA
 
L

lansalot

Senior member
Jan 25, 2005
298
0
0
Forget trying to break MD5 hashes, that's just a waste of time.

Read the config files to find out where the home directories for those users are and go straight to them.

There's no mystery in that.

edit: if you are really 'doing forensics', then you definitely don't want to log in as any of their users, nor log in at all on that system. All volumes should be mounted readonly from (suggestion) a knoppix forensics CD. The moment you change a byte on that disc, you've tainted any evidence you wanted to keep.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: nweaver
can't jack the ripper break the hashes? I know a company that can brute force it...I saw the brute force a 10 digit UPPER/lowercase alpha-numeric password in 4 hours....DC client for CIA
Click to expand...

John the ripper can, and there are some patches out there to make it distributed in nature. I think there is something similar too that is natively distributed.
 
C

Czar

Lifer
Oct 9, 1999
28,510
0
0
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Czar
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for
Click to expand...

That's a big database. It's available though. I played with the distributed computing project that broke it. :p

That's why no one uses md5 for passwords anymore. ;)
 
C

Czar

Lifer
Oct 9, 1999
28,510
0
0
Originally posted by: n0cmonkey
Originally posted by: Czar
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for
Click to expand...

That's a big database. It's available though. I played with the distributed computing project that broke it. :p

That's why no one uses md5 for passwords anymore. ;)
Click to expand...
hehe, very true, do you know how big it was?
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Czar
Originally posted by: n0cmonkey
Originally posted by: Czar
md5 hashes can be so easily broken now

make a database of all the possibilities, which some people have done, then just search the database for the md5 hash you are looking for
Click to expand...

That's a big database. It's available though. I played with the distributed computing project that broke it. :p

That's why no one uses md5 for passwords anymore. ;)
Click to expand...
hehe, very true, do you know how big it was?
Click to expand...

Supposedly they were planning on sending a copy to anyone that requested and paid a small fee (S&H, materials). They mentioned 200GB hard drives, but I don't have an exact number.

They also stopped as soon as they got a collision, so it's possible they're missing plenty of hashes. And the authentication system may use salts, which could possibly affect the use of other hashes.
 
C

Czar

Lifer
Oct 9, 1999
28,510
0
0
Originally posted by: n0cmonkeySupposedly they were planning on sending a copy to anyone that requested and paid a small fee (S&H, materials). They mentioned 200GB hard drives, but I don't have an exact number.

They also stopped as soon as they got a collision, so it's possible they're missing plenty of hashes. And the authentication system may use salts, which could possibly affect the use of other hashes.
Click to expand...

hehe ok maybe md5 is a little bit safer than I thought :)
 
G

GD695372

Senior member
Oct 24, 2000
386
0
0
Thanks for all the responses everyone. I think we're just going to snoop around a bit. The reason we couldn't use the home directories was because they were all at the root directory on the c drive. The config gave them access to every drive c through z with full permissions. We haven't been able to find any files of note so far. I guess logging in wouldn't have helped anyway. Thanks for the md5 info, though.

The server was composed of the files Psinfo.exe, windowaudio.PNF, and winsocket32.ocx

Here's most of the config file (windowaudio.PNF) as we found it (we still haven't found the config file for the other ftp server):

[GLOBAL]
invisible=true
Version=3.0.0.17
...
MaxNrUsers=15
AntiHammer=1
PacketTimeOut=300
DirCacheEnable=0
AntiHammerTries=3
LocalSetupPassword=072C63105200180D5C07170A7E3E
LocalSetupPortNo=6423
SocketRcvBuffer=8192
SocketSndBuffer=8192
ProcessID=2300
[DOMAINS]
Domain1=0.0.0.0||6423|DNS's FTP Server|1
[Domain1]
User1=Alex|1|0
User2=Chenli|1|0
User3=1337|1|0
SignOff=c:\winnt\inf\signoff.txt
DirChangeMesFile=c:\winnt\inf\dir.txt
DirChangeMesFile2=c:\winnt\inf\dir.txt
ReplyHello=Welcome To DNS's FTP Server...
User4=MoMo|1|0
MaxNrUsers=20
LogSystemMes=0
LogSecurityMes=0
LogGETs=0
LogPUTs=0
LogFileSystemMes=0
LogFileSecurityMes=0
LogFileGETs=0
LogFilePUTs=0
User5=DNS|1|0
User6=Nice|1|0

Password=wqAF6FBA47A94049C0D2C7CD54FA4DCD0C
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
Access1=c:\|RALP
[USER=MoMo|1]
Password=zm64E7F688C6D152C52EBF43EB4A0E9F5C
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
Access3=E:\|RWAMELCDP
Access4=F:\|RWAMELCDP
Access5=G:\|RWAMELCDP
Access6=H:\|RWAMELCDP
Access7=I:\|RWAMELCDP
Access8=J:\|RWAMELCDP
Access9=K:\|RWAMELCDP
Access10=L:\|RWAMELCDP
Access11=M:\|RWAMELCDP
Access12=N:\|RWAMELCDP
Access13=O:\|RWAMELCDP
Access14=P:\|RWAMELCDP
Access15=Q:\|RWAMELCDP
Access16=S:\|RWAMELCDP
Access17=T:\|RWAMELCDP
Access18=U:\|RWAMELCDP
Access19=V:\|RWAMELCDP
Access20=X:\|RWAMELCDP
Access21=Y:\|RWAMELCDP
Access22=Z:\|RWAMELCDP
[USER=Alex|1]
Password=ztEE5F10002D07556C092037A66A2AE9F1
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[USER=Chenli|1]
Password=qrC15CAD43367D7A38617CB399E30093DF
HomeDir=c:
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[USER=DNS|1]
Password=koA98B03814A6858A7601552D6A7AAA648
HomeDir=c:
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[USER=Eclipse|1]
Password=zi24A56515D6B703647BD7DDCB5DDDDDA2
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
[EXTERNAL]
EventHookDLL1=JAsfv.dll
[USER=Nice|1]
Password=quD4421B1C59B504C3E861E832F3D24385
HomeDir=c:
LoginMesFile=c:\winnt\inf\welcome.txt
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
...
Access22=Z:\|RWAMELCDP
 
G

GD695372

Senior member
Oct 24, 2000
386
0
0
This production webserver needs some software that has to be run under windows. Migrating to Linux isn't an option. The new server has been locked down as much as possible, and has already replaced the compromised one. At this point it looks like the ftp servers were never used, because they were blocked by the firewall. I think that they were installed by taking advantage of an IIS vulnerability. No idea what the vulnerability was, but hopefully the new server doesn't share the same vulnerability. As a long-term solution, I'm building a squid reverse-proxy to put in front of the web server. That should help somewhat. We fould out that the time of entry was only a few hours before we put SP4 on the server.

Thanks for all the help,
GD
 
S

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
Originally posted by: skyking
Hmm, running a production webserver on windows..................:p
Click to expand...

Not a problem. The problem lies in IMPROPERLY running a production webserver on ANY OS.

Spare us your MS, sorry M$, FUD.


 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Smilin
Not a problem. The problem lies in IMPROPERLY running a production webserver on ANY OS.

Spare us your MS, sorry M$, FUD.
Click to expand...

MS is a part of the problem though, but I hear newer IIS versions have saner defaults. :)
 
jamesbond007

jamesbond007

Diamond Member
Dec 21, 2000
5,280
0
71
Originally posted by: GD695372
We fould out that the time of entry was only a few hours before we put SP4 on the server.
GD
Click to expand...

So you only recently put SP4 on there? SP4 for Win2K has been out a long, long time!!! Shame on you!
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
You could always put it back on the Internet and put a sniffer between it to catch the FTP passwords, it'll probably be a lot quicker than bruteforcing the MD5s.
 
G

GD695372

Senior member
Oct 24, 2000
386
0
0
We've given up on brute forcing the passwords, and the ftp ports were never accessible anyway, thanks to the firewall. SP4 was put on the server a long time ago, but we only recently fould that it had been compromised. We hadn't bene paying much attention to it until we started configuring it's replacement.
 
S

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
Originally posted by: n0cmonkey
Originally posted by: Smilin
Not a problem. The problem lies in IMPROPERLY running a production webserver on ANY OS.

Spare us your MS, sorry M$, FUD.
Click to expand...

MS is a part of the problem though, but I hear newer IIS versions have saner defaults. :)
Click to expand...

Sorry, not gonna blame MS if the guy admitted he didn't even apply the latest updates.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom