[BIC-announce] [Fwd: FW: McGill Security Incidents-Current Activity (fwd)]

Dale Einarson dale@bic.mni.mcgill.ca
Fri, 01 Apr 2005 10:26:49 -0500


This is a multi-part message in MIME format.
--------------010100040900020302070200
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


--------------010100040900020302070200
Content-Type: message/rfc822;
 name="FW: McGill Security Incidents-Current Activity (fwd)"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="FW: McGill Security Incidents-Current Activity (fwd)"

Return-Path: <owner-techies@LISTS.MCGILL.CA>
Received: from drizzle.CC.McGill.CA (drizzle.cc.mcgill.ca [132.206.27.48])
	by shadow.bic.mni.mcgill.ca (8.12.9/8.12.9) with ESMTP id j31319Pf3926091;
	Thu, 31 Mar 2005 22:01:09 -0500 (EST)
Received: from localhost (mailscan2.CC.McGill.CA [132.216.77.249])
	by drizzle.CC.McGill.CA (8.12.11/8.12.3) with SMTP id j3131554008623;
	Thu, 31 Mar 2005 22:01:05 -0500
Received: from lists.mcgill.ca (lists.McGill.CA [132.206.27.99])
	by mailscan2.cc.mcgill.ca (8.13.0/8.13.0) with ESMTP id j31307MI016530;
	Thu, 31 Mar 2005 22:00:23 -0500 (EST)
Received: from lists (lists.McGill.CA) by lists.mcgill.ca (LSMTP for Windows NT v1.1b) with SMTP id <0.001CD10C@lists.mcgill.ca>; Thu, 31 Mar 2005 22:00:07 -0500
Received: from LISTS.MCGILL.CA by LISTS.MCGILL.CA (LISTSERV-TCP/IP release
          1.8d) with spool id 6514576 for TECHIES@LISTS.MCGILL.CA; Thu, 31 Mar
          2005 21:59:58 -0500
Approved-By: feran@CC.MCGILL.CA
Received: from drizzle.CC.McGill.CA by lists.mcgill.ca (LSMTP for Windows NT
          v1.1b) with SMTP id <0.001CD0F9@lists.mcgill.ca>; Thu, 31 Mar 2005
          21:57:44 -0500
Received: from mailscan2.cc.mcgill.ca (mailscan2.CC.McGill.CA [132.216.77.249])
          by drizzle.CC.McGill.CA (8.12.11/8.12.3) with ESMTP id j312vgtD008039
          for <techies@lists.mcgill.ca>; Thu, 31 Mar 2005 21:57:42 -0500
Received: from puddle.cc.mcgill.ca (puddle.CC.McGill.CA [132.216.30.28]) by
          mailscan2.cc.mcgill.ca (8.13.0/8.13.0) with ESMTP id j312vcSH015982
          for <techies@lists.mcgill.ca>; Thu, 31 Mar 2005 21:57:38 -0500 (EST)
Received: from localhost (feran@localhost) by puddle.cc.mcgill.ca
          (8.12.11/8.9.1) with ESMTP id j312vcdj018200 for
          <techies@lists.mcgill.ca>; Thu, 31 Mar 2005 21:57:38 -0500 (EST)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.GSO.4.40.0503312151400.18088-100000@puddle.cc.mcgill.ca>
Date:         Thu, 31 Mar 2005 21:57:38 -0500
Reply-To: Shelly Feran <feran@CC.MCGILL.CA>
Sender: TECHIES LIST <TECHIES@LISTS.MCGILL.CA>
From: Shelly Feran <feran@CC.MCGILL.CA>
Subject:      FW: McGill Security Incidents-Current Activity (fwd)
To: TECHIES@LISTS.MCGILL.CA

Sent on behalf or Raould Traore, McGill IST Security
Please respond to istsecurity@mcgill.ca
--------------------------------------------------------
Hi  All;

McGill Security Incidents-Current Activity


Status

Please be advised that multiple Windows machines on campus were recently
compromised by an unidentified vector. Please note that some of the
computers that were compromised were current in terms of security
updates. These intrusions are characterized by a similar set of symptoms
found on compromised hosts known to date.

Affected Systems

Operating systems known to be vulnerable include:

*       Windows 2000 Server (with or without all service packs)
*       Windows 2000 Workstation (with or without all service packs)
*       Windows 2003 Server (with or without all service packs)
*       Windows XP (with or without  all service packs)

Risk Assessment: Critical

*       the attacker(s) were able to install tools that were successful
in cracking and capturing passwords and SAM data
*       additional hacking tools (ex: scanners etc.) were also found on
compromised machines
*       hacked machines were used as platforms for launching further
attacks against other computers

Symptoms

The following are some symptoms observed on compromised machines. Please
note that not all of these signs must be present on a particular machine
for it to be considered compromised. Some of the files that are left
behind are common administrative tools that may have been installed
legitimately.


                        Nbthelp.exe
                        Nbthelp.sys
                        Dcrss.exe
                        Dcrss.ini
                        Lan*.txt
                        Dntuw*
                        kaht.exe
                        NTCmd.exe
                        NTscan.exe
                        NTscan.txt
                        NT_pass.dic
                        NT_user.dic
                        Results.txt
                        OpenTelnet.exe
                        1.bat
                        1.reg
                        Clearlogs.bat
                        clearlogs.exe
                        del.log
                        del.logy
                        Diskinfo.exe
                        Drives.txt
                        nc.bat
                        nc.exe
                        pass.txt
                        pass.exe
                        police.txt
                        pwdump2.exe
                        samdump.dll
                        secure.bat
                        secure.exe
                        secure1.exe
                        shares.com
                        svchost.com (801 208 bytes)
                        uptime.txt
                        uptim0r.bat



*       The deletion of all administrative shares (ex: C$ D$ IPC$)
*       An instance of svchost.exe running from
%root%:\%windir%\system32\config\sysop
*       Occasionally, port TCP 444 or TCP 123 might be opened for FTP
use
*       In some computers hidden files are stored under
        %root%\System Volume Information as well as on RECYCLER,
%windir%\inf\404\asp.net\, these computers are usually also compromised
with rootkits.
*       A folder named %root%\1 that contain some scanning tools listed
above.

 (*%root% is the root drive letter, %windir% is the default Windows
directory)

Reporting

Could you please check your computers for these symptoms and let us know
what you find. You can reach us by email at istsecurity@mcgill.ca.
Please use a subject line of "McGill Security Incidents-Current
activity".

Thank you for your cooperation.

Raould Traore
Security Analyst
NCS-IST Security
---------------------------
Tel: 514-398-3704
istsecurity@mcgill.ca

Email from this and several technical NCS lists is now being archived
on the web interface: http://lists.mcgill.ca/archives/techies.html

--------------010100040900020302070200--