We had another round of hacked servers in the past few weeks. Strangely enough, the rootkit used was very similar to the one used around the time of this cryptic post. Since I cleaned that round the last time, I was able to figure out this lated round pretty quickly.
What hit us was a variant of the Hacker Defender toolkit, but localized into French (I think). I was able to manually remove the puppy before other folks around here were able to locate a remover program. Just because I like sharing, this is what I discovered.
The toolkit creates three services:
They also created another folder in "C:\System Volume Information\tracking\", which you normally can't get at from explorer. You have to set permissions on the System Volume Information folder in order to get into it. In that folder was various recon and spreading tools, as well as pwdump4 for dumping the local SAM database. They didn't get to anything with any real data in it, so our passwords are safe. Plus, our local admin passwords are longer than 16 characters, so rainbow-tables won't work.
In order to get things back, I set the SYSTEM user to Deny Access for the following directories:
As a result of this, the rootkit wasn't able to initialize and the hidden registry keys were visible again.
None of the above stuff is googleable that I've found, but I've seen it before. So now when other people get hacked by this crew, they'll have a resource.
What hit us was a variant of the Hacker Defender toolkit, but localized into French (I think). I was able to manually remove the puppy before other folks around here were able to locate a remover program. Just because I like sharing, this is what I discovered.
The toolkit creates three services:
- dcrssdrv, hidden, launches %windowsdir%\system32\spool\tracking\in\dcrssdrv.sys
- mmsm, visible, launches %windowsdir%\system32\spool\tracking\in\mmsm.exe
- Description: Optimize transfert between CPU&RAM
- Display Name: Memory Manager
- tcp-ip_port_analyzer, hidden, launches %windowsdir\system32\spool\tracking\in\dcrs.exe dcrs.ini
- Description: Manage all Netbios Connections
- Display Name: Tcp-ip Netbios Monitoring
They also created another folder in "C:\System Volume Information\tracking\", which you normally can't get at from explorer. You have to set permissions on the System Volume Information folder in order to get into it. In that folder was various recon and spreading tools, as well as pwdump4 for dumping the local SAM database. They didn't get to anything with any real data in it, so our passwords are safe. Plus, our local admin passwords are longer than 16 characters, so rainbow-tables won't work.
In order to get things back, I set the SYSTEM user to Deny Access for the following directories:
- %windowsdir%\system32\spool\tracking\
- c:\System Volume Information\tracking\
As a result of this, the rootkit wasn't able to initialize and the hidden registry keys were visible again.
- HKLM\System\CurrentControlSet\Services\dcrssdrv
- HKLM\System\CurrentControlSet\Services\mmsm
- HKLM\System\CurrentControlSet\Services\tcp-ip_port_analyzer
- HKLM\System\ControlSet002\Services\dcrssdrv
- HKLM\System\ControlSet002\Services\mmsm
- HKLM\System\ControlSet002\Services\tcp-ip_port_analyzer
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Tcp-ip_port_analyzer
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcp-ip_port_analyzer
- HKLM\System\ControlSet002\Control\SafeBoot\Minimal\Tcp-ip_port_analyzer
- HKLM\System\ControlSet002\Control\SafeBoot\Network\Tcp-ip_port_analyzer
None of the above stuff is googleable that I've found, but I've seen it before. So now when other people get hacked by this crew, they'll have a resource.
You certainly put the "E" in CNE. Good job!
All I can say is that did you notice it was a Windows server that got hacked? Microsoft should advertise it as the most hackable OS ever! "The Hacker Friendly OS!"Hope you got it all and got them rooted out, if you'll pardon the pun.
gosh I can't believe *noone* else has put up anything about this hack, you're still the only page on the net to describe it. Looks like we've had a server hacked with the same thing, but from june last year! :( Seems not to have done any damage, but is damned annoying anyway :(