Happy Turkey Day everyone!!! Hope all of you have turkeytastic goodness, or whatever else it takes for you to have a great turkey day.
As some of you may have heard the nt4 srever that nhstar worked on for on of his clients got rooted.
So we looked around and
Session Start: Mon Nov 24 23:33:36 2003
Session Ident: Bellman
* Logging Bellman to ‘logs\Bellman..log’
-Azzn> so how did you get this lovely little bot onto my server?
-Bellman> do what?
-Azzn> You did a god job of breaking my srever, just wanted to know how you got in 🙂
-Azzn> the bot on my nt server. has bellman in it, and the ip for this irc srever, and the channel that i joined
-Bellman> which bot?
-Azzn> lemme check think its h.exe
-Azzn> cvchost.dll is a log gfile, sent a message to your username here on this irc server
-Azzn> firedaemon possibly
-Azzn> has its own ftp srevice… serv-uftp
-Azzn> port 52525 and locla only 43958
-Bellman> ok then kill it
-Bellman> im sorry
-Azzn> It crashed the server… how did you get it in there?
-Azzn> would like ot make sure that something similar doesnt happen again
-Bellman> dude its program that does it
-Bellman> i dont know how it just does it
-Bellman> if i knew how it got in i would tell you so you can secure your machine
-Azzn> its Micro$haft… secure? lol
-Belman> yea nt has many vulnerabiltys
-Azzn> whats the name of the program, and where can i find a copy?
-Belman> thats what it targets
-Bellman> ohh i cant give that out
-Azzn> I have your screen name, I have the IP of this server, I have the whois Database entry information… I would prefer to get a copy for myself, then hand this all over to a lawenforcement agency.
-Azzn> I even have a log of everyone logged into this IRC server, and this conversation… play nice now. 🙂
-Bellman> youwant me to send You copys of the root kit
-Azzn> please 🙂
-Azzn> or where to get it. 🙂
-Bellman> see the problem is your nt pass word is weak
-Azzn> yeah yeah it was.
-Bellman> its freeware
-Azzn> If it was from there, why would you say you can’t give it out?
-Bellman> man i dont know who You are
-Azzn> If I was law enforcement this would be called entrapment. Which i am not. Im just a friend of the admin on the box you rooted, and botted.
-Bellman> if it had a pass other than administror it would have been ok
-Bellman> or user
-Azzn> so it doesnt use a buffer over flow then… interesting.
-Azzn> there an easy way to nuke it off the system? Any back doors it leaves? (btw i dont think the password was “administrator” or “user”
-Azzn> so whats the name of the sploit?
-Bellman> yea it only uses like 4 easy”stupid” passwords
-Bellman> i dont know the name
-Bellman> im not a windows server guru
-Azzn> whats the name of the proggy you used to bruteforce in then (the one that uses like 4 easy “stupid” passwds?
-Azzn> the url you gave me has one called Nt server password exploit by [m3th0d] but its a dead link
-Bellman> all the progs are there on that site
-Bellman> ok man you got all the info
-Bellman> see ya
-Azzn> Thanks for the help. see yah
Session Close: Tue Nov 25 00:00:00 2003
from the Status window…
-barfly.-SERVERNAME>.com- *** You are permanently banned from -SERVERNAME>(no reason)
Yeah fucking right… Like I dont have access to 2.5 million other machines that have differnet IP addresses and can log in any time i want to. Nice try. heh. (Note: the server name has been removed, and the one httplink was blotted out)