hacker_program_found
Hacker Program Found
Impact
This advisory indicates that a hacker program has been detected on the scanned host.
Background
SARA looks for evidence that the system has been compromised. They are:
- Existence of root.exe (a copy of cmd.exe) in one of the IIS Web directories
(usually samples). It is the result of one of the worm penetrations through
a directory traversal (command execution).
- A hacker program called BNC, which is a simple program designed to proxy IRC sessions. It is user configurable using the file bnc.conf to set incoming and outgoing ports, user ID, and password. Hackers use this program to prove to their community that they have hacked into the target computer. This is only found when SARA is run in extreme mode.
The Problem
- Root.exe: Uusally indicates that the system has been compromised and
commands can be executed at the level of the IIS account.
- BNC: does not point out a vulnerability in and of itself. But, it does indicate that the target system may have been compromised, and that a vulnerability may exist on the system. In order to run the bnc program, a hacker must have interactive access to the target system.
Resolution
- Root.exe: Carefully check that system integrity is intact. Apply all ISS
patches, especially those that refer to the many directory traversal vulnerabilities.
- BNC: Determine the owner of the bnc process (probably will not be called bnc). If the owner is root and the administrator did not install the program, system is severely compromised and must be reladed from 'scratch'. All passwords should also be compromised. If owner is a system user, suspect that his/her accounthas been compromised. If passwords are not shadowed, consider all passwords in the system compromised.