Security Basics mailing list archives
Re: Windows 2000 Server Attacks
From: Su Wadlow <swadlow () utdallas edu>
Date: Fri, 21 Feb 2003 10:14:15 -0600
--On Thursday, February 20, 2003 12:57 PM -0500 Paul Stewart <pauls () nexicom net> wrote:
We have no idea how this person has managed to gain some form of access to these servers and are obviously quite concerned.
What services are the servers running? Are the machines *fully* patched? We've had similar compromises to user systems using exploits for Windows services. In one case a cracker used an IIS unicode exploit; in another, the machine was running the MSDE (installed with Visio) and the entry point was apparently some kind of SQL exploit.
The filename of the software that is responsible we believe to be msudb32.exe
Look for the ServU daemon in the machines' list of services. This filename may simply be an attempt to hide the service's true name and purpose. I've seen the ServU FTP daemon renamed several different things -- winmgnr.exe was one, and sys<something>.exe was another. If you find ServU running in the list of services, look for ServUDaemon.ini and ServUStartUpLog.txt in (probably) the same directory that you find the service's executable, and possibly in a subdirectory where the warez are placed as well. Oh, and if it *is* there, you'll probably find that msudb32.exe is the filename of the ServU service.
Does this ring a bell to anyone by chance? A google shows only one response via newsgroups and no remedy.
If it's ServU, you'll have to stop the service, delete its files and then remove its registry entries. Reboot. Then you can delete the warez, which could be trickier than it sounds. You'll probably have to take ownership of the files and folders before Windows will let you delete them. -- Su Wadlow swadlow () utdallas edu Faculty/Staff Support
Current thread:
- Strange Connection Attempts Hankes, Christopher A (Feb 14)
- <Possible follow-ups>
- RE: Strange Connection Attempts Keith T. Morgan (Feb 17)
- RE: Strange Connection Attempts Tim Heagarty (Feb 17)
- RE: Strange Connection Attempts Kinsey, Robert (Feb 18)
- RE: Strange Connection Attempts fixer (Feb 18)
- Re: Strange Connection Attempts Charles Hamby (Feb 19)
- RE: Strange Connection Attempts Trevor Cushen (Feb 20)
- Windows 2000 Server Attacks Paul Stewart (Feb 20)
- Re: Windows 2000 Server Attacks Su Wadlow (Feb 22)
- Windows 2000 Server Attacks Paul Stewart (Feb 20)