[BIC-announce] [Fwd: FW: McGill Security Incidents-Current Activity (fwd)]
Dale Einarson
dale@bic.mni.mcgill.ca
Fri, 01 Apr 2005 10:26:49 -0500
This is a multi-part message in MIME format.
--------------010100040900020302070200
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------010100040900020302070200
Content-Type: message/rfc822;
name="FW: McGill Security Incidents-Current Activity (fwd)"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="FW: McGill Security Incidents-Current Activity (fwd)"
Return-Path: <owner-techies@LISTS.MCGILL.CA>
Received: from drizzle.CC.McGill.CA (drizzle.cc.mcgill.ca [132.206.27.48])
by shadow.bic.mni.mcgill.ca (8.12.9/8.12.9) with ESMTP id j31319Pf3926091;
Thu, 31 Mar 2005 22:01:09 -0500 (EST)
Received: from localhost (mailscan2.CC.McGill.CA [132.216.77.249])
by drizzle.CC.McGill.CA (8.12.11/8.12.3) with SMTP id j3131554008623;
Thu, 31 Mar 2005 22:01:05 -0500
Received: from lists.mcgill.ca (lists.McGill.CA [132.206.27.99])
by mailscan2.cc.mcgill.ca (8.13.0/8.13.0) with ESMTP id j31307MI016530;
Thu, 31 Mar 2005 22:00:23 -0500 (EST)
Received: from lists (lists.McGill.CA) by lists.mcgill.ca (LSMTP for Windows NT v1.1b) with SMTP id <0.001CD10C@lists.mcgill.ca>; Thu, 31 Mar 2005 22:00:07 -0500
Received: from LISTS.MCGILL.CA by LISTS.MCGILL.CA (LISTSERV-TCP/IP release
1.8d) with spool id 6514576 for TECHIES@LISTS.MCGILL.CA; Thu, 31 Mar
2005 21:59:58 -0500
Approved-By: feran@CC.MCGILL.CA
Received: from drizzle.CC.McGill.CA by lists.mcgill.ca (LSMTP for Windows NT
v1.1b) with SMTP id <0.001CD0F9@lists.mcgill.ca>; Thu, 31 Mar 2005
21:57:44 -0500
Received: from mailscan2.cc.mcgill.ca (mailscan2.CC.McGill.CA [132.216.77.249])
by drizzle.CC.McGill.CA (8.12.11/8.12.3) with ESMTP id j312vgtD008039
for <techies@lists.mcgill.ca>; Thu, 31 Mar 2005 21:57:42 -0500
Received: from puddle.cc.mcgill.ca (puddle.CC.McGill.CA [132.216.30.28]) by
mailscan2.cc.mcgill.ca (8.13.0/8.13.0) with ESMTP id j312vcSH015982
for <techies@lists.mcgill.ca>; Thu, 31 Mar 2005 21:57:38 -0500 (EST)
Received: from localhost (feran@localhost) by puddle.cc.mcgill.ca
(8.12.11/8.9.1) with ESMTP id j312vcdj018200 for
<techies@lists.mcgill.ca>; Thu, 31 Mar 2005 21:57:38 -0500 (EST)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.40.0503312151400.18088-100000@puddle.cc.mcgill.ca>
Date: Thu, 31 Mar 2005 21:57:38 -0500
Reply-To: Shelly Feran <feran@CC.MCGILL.CA>
Sender: TECHIES LIST <TECHIES@LISTS.MCGILL.CA>
From: Shelly Feran <feran@CC.MCGILL.CA>
Subject: FW: McGill Security Incidents-Current Activity (fwd)
To: TECHIES@LISTS.MCGILL.CA
Sent on behalf or Raould Traore, McGill IST Security
Please respond to istsecurity@mcgill.ca
--------------------------------------------------------
Hi All;
McGill Security Incidents-Current Activity
Status
Please be advised that multiple Windows machines on campus were recently
compromised by an unidentified vector. Please note that some of the
computers that were compromised were current in terms of security
updates. These intrusions are characterized by a similar set of symptoms
found on compromised hosts known to date.
Affected Systems
Operating systems known to be vulnerable include:
* Windows 2000 Server (with or without all service packs)
* Windows 2000 Workstation (with or without all service packs)
* Windows 2003 Server (with or without all service packs)
* Windows XP (with or without all service packs)
Risk Assessment: Critical
* the attacker(s) were able to install tools that were successful
in cracking and capturing passwords and SAM data
* additional hacking tools (ex: scanners etc.) were also found on
compromised machines
* hacked machines were used as platforms for launching further
attacks against other computers
Symptoms
The following are some symptoms observed on compromised machines. Please
note that not all of these signs must be present on a particular machine
for it to be considered compromised. Some of the files that are left
behind are common administrative tools that may have been installed
legitimately.
Nbthelp.exe
Nbthelp.sys
Dcrss.exe
Dcrss.ini
Lan*.txt
Dntuw*
kaht.exe
NTCmd.exe
NTscan.exe
NTscan.txt
NT_pass.dic
NT_user.dic
Results.txt
OpenTelnet.exe
1.bat
1.reg
Clearlogs.bat
clearlogs.exe
del.log
del.logy
Diskinfo.exe
Drives.txt
nc.bat
nc.exe
pass.txt
pass.exe
police.txt
pwdump2.exe
samdump.dll
secure.bat
secure.exe
secure1.exe
shares.com
svchost.com (801 208 bytes)
uptime.txt
uptim0r.bat
* The deletion of all administrative shares (ex: C$ D$ IPC$)
* An instance of svchost.exe running from
%root%:\%windir%\system32\config\sysop
* Occasionally, port TCP 444 or TCP 123 might be opened for FTP
use
* In some computers hidden files are stored under
%root%\System Volume Information as well as on RECYCLER,
%windir%\inf\404\asp.net\, these computers are usually also compromised
with rootkits.
* A folder named %root%\1 that contain some scanning tools listed
above.
(*%root% is the root drive letter, %windir% is the default Windows
directory)
Reporting
Could you please check your computers for these symptoms and let us know
what you find. You can reach us by email at istsecurity@mcgill.ca.
Please use a subject line of "McGill Security Incidents-Current
activity".
Thank you for your cooperation.
Raould Traore
Security Analyst
NCS-IST Security
---------------------------
Tel: 514-398-3704
istsecurity@mcgill.ca
Email from this and several technical NCS lists is now being archived
on the web interface: http://lists.mcgill.ca/archives/techies.html
--------------010100040900020302070200--