Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Basant Gajja » Sat, 16 Nov 2002 18:08:31



Dear Group,

We have a huge network of computers (about 600+) using Class B IP
address range (and they all have public IP addresses i.e. no 10.x.x.x or
192.168.x.x). All the computers are behind a router and a private
internet gateway which controls the outgoing and incoming internet
traffic. Also, mostly all the computers on the network run
Microsoft-based OS (Win2k and WinXP) and a few computers (servers) run
Linux which act as Firewalls, Routers etc. These servers act as gateway
as well as firewall to these computers don't allow incoming traffic i.e.
all ports are blocked except for a few which run web servers etc. We
have tried logging into our computers from outside our network but we
cannot gain access to it as there's a firewall and a gateway, but all
the computers within the corporate network can communicate with each other.

Yesterday, a hacker (prolly from Norway) gained access to two of our
computers which run Win 2K Prof and Win NT 4.0 Workstation resply
bypassing the Firewall. We are wondering how the person gained access to
our network even though there was a firewall in between our workstation
on the network and the hacker's computer. Those two computers had the
Local Computer's Administrator's password blank and we guess that's what
the hacker used to gain access to the files using NetBIOS. The hacker
somehow installed WinVNC client and some mIRC script (RUNDLl32.exe) onto
those two machines. We were shocked to see him controlling the computer
as if he/she was actually sitting in front of the computer. We
identified the hacker's computer's IP address and found that his IP
originated from Norway and the server software WinVNC was sending out
packets to that IP address and waiting for the hacker to connect to the
system. We simulated this attack onto another computer and came to a
conclusion that the hacker (1) used netbios protocol to connect to
the computer to transfer files using local administrator login with
blank password (2) installed winvnc as a service (3) rebooted the
computer somehow and gained access as a remote administrator and took
the control over the computer and started using it as if he/she were
sitting in front of that computer. We saw a batch file that executed
winvnc with -install arguement that installed itself as an NT service
and also noticed that there wasn't any server software installed to
facilitate the work of the hacker to provide a service like remote
administrator (like Remote Administrator 2.1 -- www.radmin.com) to allow
control over that computer.

We are not clear at a couple of points:

(1) how did the hacker start the program remotely?

and

(2) how did the hacker shutdown/reboot the computer without using any
software like remote administrator 2.0 (www.radmin.com)? Is there any
way to shut down the computer using the basic microsoft's built-in
networking packages like NET command?

We are very much scared and we are inviting suggestions/solutions from
the people out here on this planet.

Responses greatly appreciated.

Thank you very very much

Basant Gajjar

(Asst. Network Administrator)

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Axel Irrige » Sat, 16 Nov 2002 19:20:53


Quote:> and

> (2) how did the hacker shutdown/reboot the computer without using any
> software like remote administrator 2.0 (www.radmin.com)? Is there any
> way to shut down the computer using the basic microsoft's built-in
> networking packages like NET command?

Hi,

to the first unclear point I'm afraid I can't enlighten you.
The second point is rather simple, as if he can execute a shell Script
he can also run the rundll32.exe .
There there is a Command ExitWindows which can reboot a machine.
In the following there are the appropriate commands (I don't know if it
still works using Win 2K but I expect to)
Windows 95
        RUNDLL USER.EXE,ExitWindowsExec
Windows 98
        RUNDLL SHELL32.DLL,SHExitWindowsEx 2
Windows NT4

        PUSHD %temp%
        ECHO [Version] > {out}.inf
        ECHO signature=$chicago$ >> {out}.inf
        ECHO [defaultinstall] >> {out}.inf
        RUNDLL32 SETUPAPI,InstallHinfSection DefaultInstall 1 {out}.inf
        DEL {out}.inf
        POPD
 and
        SHUTDOWN /L /R /T:0 /Y

I haven't tried out the WinNT script as I don't have WinNT any longer in my
networks, but the others work fairly well

Using an internet FAQ:
How can I log off or shutdown a remote Windows 2000 computer?
1. Right-click My Computer and select Manage.

2. On the Action menu, press Connect to another computer ....

3. Double-click a computer in the list.

4. Right-click Computer Management (<Name>) and press Properties.

5. On the Advanced tab, press Startup and Recovery.

6. Press the Shut Down button.
7. Select an Action:
    Log off Current User

       Shut Down

       Restart

       Power down (if supported)

8. Select a Force Apps Closed action and press OK.

Furthermore he could start winvnc right after install if he managed to get
the configuration already done and then reboot "at gui level"

                Hope it helped

                        Axel Irriger
                                Linux Network Consulting

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Jason Eberl » Sat, 16 Nov 2002 21:44:00


Greetings, Basant;

Quote:> bypassing the Firewall. We are wondering how the person gained access to
> our network even though there was a firewall in between our workstation
> on the network and the hacker's computer. Those two computers had the

   My guess is that your fun journey starts with one or more web servers
to which access is allowed (through the firewall) on port 80.  Depending
on what OS and web server software you run, and *most importantly* what
security patches you forgot to install, there are a variety of exploits
available.  An unpatched NT4 / IIS combo, for example, is just begging
someone to come along with that antique classic IISHACK, or any number
of similar buffer overflow attacks.  These exploits are *way old* - if
you have production machines that haven't been patched up, well... for
shame!

Quote:> those two machines. We were shocked to see him controlling the computer
> as if he/she was actually sitting in front of the computer. We

   Remote control is cool, eh?  When you get over the shock and horror
of having been rooted, think about the fun ways you could use that kind
of software for remote administration.  Kind of a lifesaver sometimes,
actually.

Quote:> (1) how did the hacker start the program remotely?

   Well, there's AT and WINAT for scheduling jobs (and you probably have
AT on the workstations by default if they're NT) - so, no great feat
really.  Run SRVMGR \\<workstation name> from the rooted web server,
turn on the AT scheduling service if it aint already on, and then submit
a scheduled job to do whatever you want.  This is especially useful, for
example, for running NetCat (NC.EXE) - you can schedule it to listen on
a port and redirect to a command prompt, and from that point you get the
C:\ prompt from the remote machine.

Quote:

> (2) how did the hacker shutdown/reboot the computer without using any
> software like remote administrator 2.0 (www.radmin.com)? Is there any
> way to shut down the computer using the basic microsoft's built-in
> networking packages like NET command?

   Tons of ways.  Easiest is to do it from another machine, with
resource kit utilities like SHUTDOWN or SHUTGUI or the like.  I betcha
if you sniff around, you'll find a web server with a curious collection
of just these very files and utilities, actually.

   Well, you better go back and check all those devices that you have
port forwarding or whatnot set up on the firewall.  I'd bet you even
money that at least one of them has become a giant, gaping back door.
And, if your buddy in Norway isn't already back wreaking havoc on/from
it, odds are his friends are.

   While you're at it, you might want to hunt around and grab all the
latest service packs and security fixes, eh?  It's a moving target, yes
- but I highly recommend you chase it a little bit.  Good luck!

  - Jason

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Jason Eberl » Sat, 16 Nov 2002 21:47:27


P.S. Now someone please tell him about SNORT or other good NIDS products
and techniques, heh, I'm tired of typing...  :)
 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Nick Dimidu » Sat, 16 Nov 2002 22:43:25


I'm no expert in this field, but I do know that if your hacker managed
to get a VNC server running and connected to it with his client, he
could re-boot the machine as many times as he wanted; I don't think
there's any limitation on the remote desktop.
Good luck to you,
-Nick

> (2) how did the hacker shutdown/reboot the computer without using any
> software like remote administrator 2.0 (www.radmin.com)? Is there any
> way to shut down the computer using the basic microsoft's built-in
> networking packages like NET command?

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by St1 » Sun, 17 Nov 2002 01:06:29



> the hacker used to gain access to the files using NetBIOS. The hacker

I think you must be ashamed of your poor IDS and Administrating qualities
in such a big network.

The fact that you run that type of security leaking protocol NetBIOS is
amazing, the fact that you dont have placed some ACL's correct on your
firewall, the fact that you only detect hackers by seeing them remote
administrating a few pc's, and the fact that you have some systems without a sysadmin
password should fire you guys immediatly if i was your boss, even sue you
for incompetence.

It would not be amazed that your network is completely fully tampered with
a more high class hacker than one that uses VNC, at least if i where a
hacker i would not use VNC or MIRC scripts :-)) that's for shure.

So if a 'script' kid has root access to your network (what he seems to be
after reading your message) start praying that
the 'real' guys are not infiltrated in your system, witch i would really
think they are since a long time if your system is that open, i have lots
of servers to the outside world, and believe me, daily i get a few
attacks, not only from script kids, but from guys who really know what
they're doing.

Hire a good security expert please, you can't seem to do the job right.

I'm sorry, but this could have been prevented by you. Go to school again,
do some serious studying or change your job please.

--
St1

Let the machine do the dirty work.
                -- "Elements of Programming Style", Kernighan and Ritchie

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Ed Clar » Sat, 16 Nov 2002 22:37:17



>traffic. Also, mostly all the computers on the network run
>Microsoft-based OS (Win2k and WinXP) and a few computers (servers) run
>Linux which act as Firewalls, Routers etc. These servers act as gateway
>as well as firewall to these computers don't allow incoming traffic i.e.
>all ports are blocked except for a few which run web servers etc. We

You mention Microsoft and web servers in the same line. IIS perhaps?  There
have been huge holes in the security of that product and the fact that you
were careless enough to let a server on your network with no password at
all indicates that you probably don't bother keeping up with the fix of the
day from Microsoft.

Do you understand how much trouble you're in?  Someone got into your network
and you HAD NO INTERNAL SECURITY.  How many other machines did he/she/it
get into before you realized there was a problem?  Is there a password
sniffer running there now?  Are you sure?  What other little backdoor
programs have been inserted into your server farm?

By the way, Cert (and many other security information sources) says that
most theft occurs from insiders, not from external sources.  There are
many out-of-work security and network specialists available.  I would
suggest that you hire one of them to do a security audit of your business.
While you still have a business...

A firewall IS NOT SUFFICIENT to protect a network.  You need expert help
from at least an experienced system administrator or a security expert.

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Ed Clar » Sat, 16 Nov 2002 22:43:34



>Dear Group,

>We have a huge network of computers (about 600+) using Class B IP
>address range (and they all have public IP addresses i.e. no 10.x.x.x or

Six hundred computers?  And servers without passwords???  This has to
be a medium/large corporation with a professional IT staff.  Is this
a "troll"?  Ok, you got me.
 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Duncan Thomso » Sun, 17 Nov 2002 02:41:37



> Dear Group,

> We have a huge network of computers (about 600+) ...
> Yesterday, a hacker (prolly from Norway) gained access

This is a joke, right?  You run a network of over 600 machines and you have no
plan for intrusion response and forensics other than to post to these groups?
Clearly, you need to hire professional expertise!

Question for the group: Assuming this is not a joke, how typical is this level
of security protection?

Duncan

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Mulbag » Sun, 17 Nov 2002 03:53:09


There are quite a number of commands available in the 'pstools' suite

DOS window remotely once you gain access to another computer.
 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by J.O. Ah » Sun, 17 Nov 2002 04:24:28



> Greetings, Basant;

BG> bypassing the Firewall. We are wondering how the person gained access
BG> to our network even though there was a firewall in between our
BG> workstation on the network and the hacker's computer. Those two
BG> computers had the

Quote:>   My guess is that your fun journey starts with one or more web servers
> to which access is allowed (through the firewall) on port 80.  Depending
> on what OS and web server software you run, and *most importantly* what
> security patches you forgot to install, there are a variety of exploits
> available.  An unpatched NT4 / IIS combo, for example, is just begging
> someone to come along with that antique classic IISHACK, or any number
> of similar buffer overflow attacks.  These exploits are *way old* - if
> you have production machines that haven't been patched up, well... for
> shame!

BG> and a few computers (servers) run Linux which act as
BG> Firewalls, Routers etc.

My guess is that the poster ment that the computers directly connected to the
net, which works as firewall/gateway/webservers was runing Linux, which would
in that case be most likely Apache servers. But of course a bad combination of
Apchce and PHP would give some security issues too.

  //Aho

 
 
 

Our Large Network HACKED and Remote Computer Shutdown/Reboot w/o using Server Software

Post by Ingo Paklepp » Sun, 17 Nov 2002 05:13:41




>> Dear Group,

>> We have a huge network of computers (about 600+) ... Yesterday, a
>> hacker (prolly from Norway) gained access

> This is a joke, right?  You run a network of over 600 machines and you
> have no plan for intrusion response and forensics other than to post to
> these groups? Clearly, you need to hire professional expertise!

> Question for the group: Assuming this is not a joke, how typical is this
> level of security protection?

> Duncan

Unfortunately, that seems to be all too common. I know of a bank (no, I
won't name names!) who ran IIS as administrator account whenever
something went wrong and refused to apply security patches or service
packs because there was not enough time allocated to test them. Oh, and
these servers contained sensitive account information.
 
 
 

1. Do remote used of a tape on another computer on the same network

Hello

can you help me ?
I need to do files extraction from a tape installed on another computer on
the same network
this backup was made with cpio
the system is AIX 4.3.X
i want to get files from the streamer installed on the computer B et put
them on the computer A
thanks for your answer

--
Patrice BARBE
*********************
BATINIX SA
Les Espaces de Balma - Bat 12 - Lot L
12, ave Charles de Gaulle
31130 BALMA
Tl. : 05 62 57 73 73
Fax : 05 62 57 02 18

2. gated software for solaris 2.5

3. Using an IP from remote server on home computer

4. Compac 14400 PCMCIA Modem

5. how to shutdown the PC through remote computer

6. Kernel compiling on RH7

7. PC does not reboot after `shutdown -r now/reboot'

8. Is there any VCD player for Linux??

9. Machine won't reboot after shutdown using the halt option

10. /etc/rc.shutdown, init, and the shutdown/reboot/halt commands

11. How do you make the network settings stay after a reboot or shutdown?

12. Using sftp2 within a script to transfer a file to a remote computer