Security Basics mailing list archives
RE: Help on malicious program rpcxserv.exe
From: "Neils Christoffersen" <nchristof () creditsoup com>
Date: Mon, 16 Jun 2003 11:24:02 -0500
I downloaded the zip file from your FTP server and my virus scanner (AVG) detected a virus called "BackDoor.Servu" in rpcxserv.exe Maybe you can find more info on that. -- Neils Christoffersen Software Engineer CreditSoup, Inc. -----Original Message----- From: Michael Dorsey [mailto:enigmavr4 () bellsouth net] Sent: Saturday, June 14, 2003 8:18 PM To: security-basics () securityfocus com Subject: Help on malicious program rpcxserv.exe I was looking at the open ports on a server at one of my clients and noticed the server had a TCP connection that it opened to 63.98.19.244:6667. The offending program was "C:\WINNT\System32\rpcxserv.exe". It was also listening on 20+ other ports. It's registered as a service called "RPC Interface" with a description of "Provides Interface to remote call services over the network". There was another file called "SUB0T.dll", which had the same date and time as rpcxserv.exe of 2/11/03 at 18:46. Two additional files of "SUB0T.ini" and "SUB0T.log" were also there. The ini looks like instructions for logging into an IRC server. All of the files had the system and hidden attributes set. I'm guessing this is some kind of bot for a DoS attack and was curious if anyone else had seen it or knows it's infection method. The server is a basic W2K, running Exchange 2000, GFI Faxmaker and Backup Exec. I haven't been able to find anything on the search engines or antivirus sites. Anyone that wants to look at the files can get them by anonymous ftp here. ftp://advent.gotdns.com. The filename is "rpcxserv.zip". Thanks for any info, Michael Dorsey ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Help on malicious program rpcxserv.exe Michael Dorsey (Jun 16)
- RE: Help on malicious program rpcxserv.exe Neils Christoffersen (Jun 16)
- Re: Help on malicious program rpcxserv.exe Roger A. Grimes (Jun 16)