General discussion

Locked

using .net tools for hacking?

By canawarz1 ·
I know that there are ways to use .net for altering user rights by using scripts and then compiling them etc. Something i've faced before but i couldn't make up what it really is. I guess some attacker has connected to a computer and used putty to upload some data. Then managed to install a file named x.exe and the owner of that comp. reported that visual .net command started by itself (or an attacker did this who knows?) occassionally but not on meaningful intervals.Sometimes once 1 in 2 days and another time twice a week and so. I advised that owner to uninstall all .net tools framevork visual studio. and also that x.exe thing....he installed spybot then tightened his security settings to leave the minimum open port bundle as possible. Here my quesiton is what kind of an attack is this one. And what are possible threats and causes?

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Not .Net specific!

If someone has the ability to drop an executable file and have it start up upon system start (or login) running as the current user, you're in deep trouble. The fact that .Net was used just means that the attacker was lazy. They could have just as easily used a shell script, or a piece of C++ code or even COBOL if they really wanted to.

Here are my questions:

1) How in the world did someone connect to a Windows desktop via PuTTy? Why is there an SSH or Telnet or rlogin server running on that desktop?

2) Why are your users running as local administrators?

3) Why do your desktops have open ports?

Who cares what the official definition of this attack is? The fact is, someone set these systems up wrong.

1) Close down your ports.

2) Either this came from outside the LAN, which means that either a) your desktops have public IPs (bad idea!) or b) you stuck a desktop in the DMZ (bad idea!) or c) you port forwarded a bucket load of ports to this desktop (bad idea!) or it came from within the LAB, which means tht you need to start firing some people there ASAP.

3) Your users should not be running as Administrators, to minimize the damage and contain it to only their own "My Documents" directory and other items under "Documents and Settings" for that particular user.

4) Even if your gateway has proper firewalling, you need to be firewalling on the individual desktops too, in case someone manages to get within the LAN or is attacking from the inside.

5) If this user does not need Visual Studio installed, why was it installed? Visual Studio has a lot of requirements, including installing and running IIS. Again, you're increasing your exposed surface area, for no reason! On the other hand, this user may actually need Visual Studio, in which case they now cannot do their job. Is your company in the regular habit of paying $1,000 for developer tools that people don't need, or is that a pirated copy of Visual Studio?

Removing .Net Framework & Visual Studio doesn't help you one bit, when your desktops are poorly configured. .Net isn't the problem, poor systems administration and configuration is the problem.

Not to jump on your case here (too late!), and I recognize that you may be just the poor guy brought in to clean up someone else's mess, but it sounds to me like your company has deep rooted security problems that need to be addressed. Again, if an attacker was able to jump onto a desktop and drop and executable and cause it to run at startup, heads need to roll, pronto. If they could do this to a desktop, I bet they could do it to a server too...

J.Ja

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums