When you succesfully hack an box with the dameware remote exploit. What is the best way to secure it so no-one can rehack it? My suggestions are deleting the tftp.exe and stoppen the net service.. Anyone got another?
Arnie
Jan 5 2004, 11:49 PM
upgrade dameware? run it on another port? dont delete stuff, deleting is bad
vnet576
Jan 5 2004, 11:49 PM
net stop dwmrcs
rush
Jan 5 2004, 11:52 PM
i dont think that helps, because the user would find out. There aint running it for shit And ok deleteing is bad, ill rename them too pluto.exe
x1`
Jan 5 2004, 11:53 PM
rename tftp and ftp is the best bet
headbanger
Jan 6 2004, 12:08 AM
QUOTE (Dickybob20 @ Jan 5 2004, 11:53 PM)
rename tftp and ftp is the best bet
i must agree.. if u stop the server or delete anything, he will surely find out
i think this is best, if im wrong please correct me
vnet576
Jan 6 2004, 12:48 AM
QUOTE (rush @ Jan 5 2004, 06:52 PM)
i dont think that helps, because the user would find out. There aint running it for shit And ok deleteing is bad, ill rename them too pluto.exe
the user most likely was hacked using netbios previously. Hence the original hacker installed dameware as a service when they connected to the machine. Thats why so many computers have that app running and why this is such a widespread exploit. Do you honestly think that so many people would install dameware NT utilities on their own? You gotta be joking!
I can't believe people are renaming/deleting ftp.exe/tftp.exe instead of patching the vulnerability they exploited.... And stopping/removing dwmrcs service would not help very long (they will install the vuln server again in no time).
I do the following: - Stop/deinstall the dwmrcs service - Replace DWRCS.exe with V3.73 - Install/start new dwmrcs service
DWRCS.exe has commandline options for removing/installing.
BillyJawz
Jan 6 2004, 09:11 AM
renaming is not enough...for a script kiddy perhaps..
Think to change files attributes (like change time or so) or those kind of things...
You should perhaps disable (not only stop) the dameware service. (as real admin have NTLM rights to reenable it)
Gotisch
Jan 6 2004, 09:14 AM
patch your server. you could even connect via dameware and download the update
ehm
Jan 6 2004, 10:54 AM
some people start talking about renaming sucks or install an upgrade but u all suck!!!! the best way to secure a server is to do it wuick and without much work ... so try to think damn idiots i just give u a little goodie "cacls" so when someone here is a little bit intelligent and not just a script kiddie u will know what i mean!
bye bye
cha0s
Jan 6 2004, 11:36 AM
ive got some selfcoded tools that disable use of tftp.exe/ftp.exe they work as kind of firewall, so incoming requests relieing on these two old apps won't work, renaming is good too, another idea is to make an exe that deletes the two after reboot, just add a service and ur done
limbox
Jan 6 2004, 12:10 PM
well DMG already posted the best solution: upgrade to the new version
dmg
Jan 6 2004, 01:03 PM
QUOTE (ehm @ Jan 6 2004, 10:54 AM)
some people start talking about renaming sucks or install an upgrade but u all suck!!!! the best way to secure a server is to do it wuick and without much work ... so try to think damn idiots i just give u a little goodie "cacls" so when someone here is a little bit intelligent and not just a script kiddie u will know what i mean!
bye bye
Quick and without much work? I wrote a script to upgrade DWMRCS service. Quicker then just running a script is not possible imho....
Cacls is nice to fool stupid sysops by changing ACL's but securing a server with it?? Anybody running the dameware exploit get's a shell with SYSTEM priviledges so cacls is pretty useless imho. All it takes is "take ownership", any administrator can do that (SYSTEM certainly can too).
I think it's better to keep others out then to prevent them from getting out when they already got in. Think about it!
Just my 2c
btw anybody that doesn't share my opinion doesn't nesceserily suck
night^man
Jan 6 2004, 03:23 PM
do a lil search around for " firewall.exe " and run it on the opend port "firewall.exe 6129 6129 6129 " this will do the job
dmg
Jan 6 2004, 03:30 PM
QUOTE (night^man @ Jan 6 2004, 03:23 PM)
do a lil search around for " firewall.exe " and run it on the opend port "firewall.exe 6129 6129 6129 " this will do the job
If they run DameWare they will notice DameWare MRCS not working anymore on that box (they can't connect anymore!). If they investigate a little they will find your firewall.exe....
This DameWare exploit is beautifull but Admins running DameWare have a bigger chance finding irregularities then Admins running the standard MS support tools. You have to hide your stuff and don't change to much.
vnet576
Jan 6 2004, 08:31 PM
QUOTE (ehm @ Jan 6 2004, 05:54 AM)
some people start talking about renaming sucks or install an upgrade but u all suck!!!! the best way to secure a server is to do it wuick and without much work ... so try to think damn idiots i just give u a little goodie "cacls" so when someone here is a little bit intelligent and not just a script kiddie u will know what i mean!
bye bye
I've created a honeypot for dameware and similiar exploits using a technique similiar to what u're talking about...limiting the access of the file but in my case the service. Instead of running the service under system privelages you create a limited account, perhaps a guest account and set the service to run under it. Works pretty well to, the attacker is limited in what they can do and you can observe them in a controled envirenment without them doing any damage.
dmg
Jan 6 2004, 08:40 PM
I would hate to get in some honeypot like that.... When your in and notice a running snort service or something you know your screwed
Better watch who you exploit aight
AlessandroIT
Jan 6 2004, 08:50 PM
QUOTE (dmg @ Jan 6 2004, 09:03 AM)
I can't believe people are renaming/deleting ftp.exe/tftp.exe instead of patching the vulnerability they exploited.... And stopping/removing dwmrcs service would not help very long (they will install the vuln server again in no time).
I do the following: - Stop/deinstall the dwmrcs service - Replace DWRCS.exe with V3.73 - Install/start new dwmrcs service
DWRCS.exe has commandline options for removing/installing.
I can hack 3.73...u need to upgrade it to 4.0...
I Think it's the best method.....I'll try it tomorrow
GhostCow
Jan 6 2004, 09:10 PM
vnet can you post the exact commands to use calcs to run a service under a different user?
vnet576
Jan 6 2004, 09:16 PM
QUOTE (GhostCow @ Jan 6 2004, 04:10 PM)
vnet can you post the exact commands to use calcs to run a service under a different user?
I didn't use calcs...ehm's post was based on a similar idea to mine so I posted what I did.
Since this was a honeypot on my machine I just did the options in services.msc..but I'm pretty sure that u can do the same thing with Service Control found in winxp, win2k3, and (win2k?)
CODE
Sc.exe config /?
LoCaliSe
Jan 7 2004, 02:49 AM
Remove the Old and remplace it by the new Version
headbanger
Jan 7 2004, 06:56 AM
firewall works great. try it out, i think its the best way to go
ehm
Jan 7 2004, 08:59 AM
QUOTE (GhostCow @ Jan 6 2004, 09:10 PM)
vnet can you post the exact commands to use calcs to run a service under a different user?
when u cant figure this out by urself better u should stop to hack ^^
KoNh
Jan 7 2004, 09:37 AM
QUOTE (AlessandroIT @ Jan 6 2004, 08:50 PM)
QUOTE (dmg @ Jan 6 2004, 09:03 AM)
I can't believe people are renaming/deleting ftp.exe/tftp.exe instead of patching the vulnerability they exploited.... And stopping/removing dwmrcs service would not help very long (they will install the vuln server again in no time).
I do the following: - Stop/deinstall the dwmrcs service - Replace DWRCS.exe with V3.73 - Install/start new dwmrcs service
DWRCS.exe has commandline options for removing/installing.
I can hack 3.73...u need to upgrade it to 4.0...
I Think it's the best method.....I'll try it tomorrow
nothing else will stop a skilled r3h4x0r to get axx to the full sys.
Think about !!! CALS is a old knowing thing...
C'ya Steven
XtrA
Jan 10 2004, 09:29 AM
after i hack i just delete some files from SYSTEM32: DWRCS.EXE DWRCK.DLL DWRCS.INI DWRCSET.DLL DWRCShell.dll
GhostCow
Jan 10 2004, 03:02 PM
The Cacls command can be run only on disk drives that use the NTFS file system.
:<
anyone know of this and has alternate solution on the line of changing access rights of a file... (DWRCS.exE)
dmg
Jan 10 2004, 03:05 PM
QUOTE (XtrA @ Jan 10 2004, 09:29 AM)
after i hack i just delete some files from SYSTEM32: DWRCS.EXE DWRCK.DLL DWRCS.INI DWRCSET.DLL DWRCShell.dll
If you had tried DameWare NT Utilities on your own systems you would have found out why deleting those files won't help. The Mini Remote Control server can be installed remotely by any PC running DameWare NT Utilities. The first time sysop tries to connect (and can't) DameWare NT Utilities will ask if it should install DWRCS on the remote system. Ofcourse sysop clicks yes and another vuln DWRCS will be installed on the remote
If you just patch (upgrade) the darn thing they can still connect an the server is not vuln anymore....
Photon
Jan 12 2004, 05:30 AM
QUOTE (Steffan @ Jan 10 2004, 09:11 AM)
The only good secure is to Patch the system ...
nothing else will stop a skilled r3h4x0r to get axx to the full sys.
Think about !!! CALS is a old knowing thing...
C'ya Steven
good point you can temp add another admin user and use the dameware service from a remote system..
Blast3rPL
Jan 12 2004, 08:39 PM
Goosh guyz ... when I've read it i was about ... pretty lamed.
Check this :
1. Upgrading DameWare NT Utilities from 3.7x to 4.0.00 and higher 2. Disabling port 6129 by firewall.exe or by making domain in port 612 in Serv-U FTP (that's mean to disable port). 3. Deleting tftp.exe & ftp.exe 4. Do little CACLS & ATTRIB 5. Check if it's rehackable, if yes do all again.
Hey ya what are you think about that method ?. No renaming, no deleting services.
If there's some bad correct me.
Steffan
Jan 13 2004, 12:05 AM
QUOTE (Blast3rPL @ Jan 12 2004, 08:39 PM)
1. Upgrading DameWare NT Utilities from 3.7x to 4.0.00 and higher
Do you hack a sys with 4.0 (same exploit) ?
Don't know on my sys it doesn't work. after it's a 4.0x and it dosen't have more bugs (scann the damn thing) it's secure otherwise the U have to patch.. after it should be yours
I just update to 4.0 and there's no way to get in... or it's a honey-pot
C'ya
d3k1d
Jan 13 2004, 12:39 AM
QUOTE (Blast3rPL @ Jan 12 2004, 08:39 PM)
Goosh guyz ... when I've read it i was about ... pretty lamed.
Check this :
1. Upgrading DameWare NT Utilities from 3.7x to 4.0.00 and higher 2. Disabling port 6129 by firewall.exe or by making domain in port 612 in Serv-U FTP (that's mean to disable port). 3. Deleting tftp.exe & ftp.exe 4. Do little CACLS & ATTRIB 5. Check if it's rehackable, if yes do all again.
Hey ya what are you think about that method ?. No renaming, no deleting services.
If there's some bad correct me.
i secure my serveres with the same nice ideas as you do it... and i have been never rehacked until yet...
=k3Rn=
Jan 13 2004, 02:34 AM
i think nuff said now. upgrading is the best you can do - what else do you guys want?
Yellow_Blue
Jan 17 2004, 06:50 AM
you need 3 files to secure them i have them if you want this files send me msg to P.M
DvilleStoner
Feb 26 2004, 10:56 AM
QUOTE (vnet576 @ Jan 6 2004, 12:48 AM)
QUOTE (rush @ Jan 5 2004, 06:52 PM)
i dont think that helps, because the user would find out. There aint running it for shit And ok deleteing is bad, ill rename them too pluto.exe
the user most likely was hacked using netbios previously. Hence the original hacker installed dameware as a service when they connected to the machine. Thats why so many computers have that app running and why this is such a widespread exploit. Do you honestly think that so many people would install dameware NT utilities on their own? You gotta be joking!
