As some of you may have heard the nt4 srever that nhstar worked on for on of his clients got rooted.
So we looked around and
Session Start: Mon Nov 24 23:33:36 2003
Session Ident: Bellman
* Logging Bellman to ‘logs\Bellman..log’
-Azzn> so how did you get this lovely little bot onto my server?
-Bellman> do what?
-Azzn> You did a god job of breaking my srever, just wanted to know how you got in 🙂
-Bellman> what?
-Azzn> the bot on my nt server. has bellman in it, and the ip for this irc srever, and the channel that i joined
-Bellman> which bot?
-Azzn> lemme check think its h.exe
-Azzn> cvchost.dll is a log gfile, sent a message to your username here on this irc server
-Azzn> firedaemon possibly
-Azzn> has its own ftp srevice… serv-uftp
-Azzn> port 52525 and locla only 43958
-Bellman> ok then kill it
-Bellman> im sorry
-Azzn> It crashed the server… how did you get it in there?
-Azzn> would like ot make sure that something similar doesnt happen again
-Bellman> dude its program that does it
-Bellman> i dont know how it just does it
-Bellman> if i knew how it got in i would tell you so you can secure your machine
-Azzn> its Micro$haft… secure? lol
-Belman> yea nt has many vulnerabiltys
-Azzn> whats the name of the program, and where can i find a copy?
-Belman> thats what it targets
-Bellman> ohh i cant give that out
-Azzn> I have your screen name, I have the IP of this server, I have the whois Database entry information… I would prefer to get a copy for myself, then hand this all over to a lawenforcement agency.
-Azzn> I even have a log of everyone logged into this IRC server, and this conversation… play nice now. 🙂
-Bellman> youwant me to send You copys of the root kit
-Azzn> yes
-Azzn> please 🙂
-Azzn> or where to get it. 🙂
-Bellman> see the problem is your nt pass word is weak
-Azzn> yeah yeah it was.
-Bellman> http://***********.com/
-Bellman> its freeware
-Azzn> If it was from there, why would you say you can’t give it out?
-Bellman> man i dont know who You are
-Azzn> If I was law enforcement this would be called entrapment. Which i am not. Im just a friend of the admin on the box you rooted, and botted.
-Bellman> true
-Bellman> if it had a pass other than administror it would have been ok
-Bellman> or user
-Azzn> so it doesnt use a buffer over flow then… interesting.
-Azzn> there an easy way to nuke it off the system? Any back doors it leaves? (btw i dont think the password was “administrator” or “user”
-Azzn> so whats the name of the sploit?
-Bellman> yea it only uses like 4 easy”stupid” passwords
-Bellman> i dont know the name
-Bellman> im not a windows server guru
-Azzn> whats the name of the proggy you used to bruteforce in then (the one that uses like 4 easy “stupid” passwds?
-Azzn> the url you gave me has one called Nt server password exploit by [m3th0d] but its a dead link
-Bellman> all the progs are there on that site
-Bellman> ok man you got all the info
-Bellman> see ya
-Azzn> Thanks for the help. see yah
Session Close: Tue Nov 25 00:00:00 2003
from the Status window…
-barfly.-SERVERNAME>.com- *** You are permanently banned from -SERVERNAME>(no reason)
Yeah fucking right… Like I dont have access to 2.5 million other machines that have differnet IP addresses and can log in any time i want to. Nice try. heh. (Note: the server name has been removed, and the one httplink was blotted out)