RE: Windows 2000 Server Attacks

["Mark Stunnenberg" <marksg () chello nl>]

What I know about this, is that 'they' use a bug in IIS to get access on the
server. Most of the time they will install a serv-u ftp server. And  make
hidden dirs that cannot be accessed directly by browsing through the
directories (dirs like "com1", "lpt1" a.o.)

The file msudb32.exe doesn't ring a bell to me though :(



> -----Original Message-----
> From: Paul Stewart [mailto:pauls () nexicom net] 
> Sent: donderdag 20 februari 2003 P 18:57
> To: security-basics () securityfocus com
> Subject: Windows 2000 Server Attacks
>
>
> Hi there..
>
> In the past week we've had a number of Windows 2000 servers 
> get hit by someone uploading warez into hidden directories.  
> Software seems to get installed that is trying to make 
> outbound connections via port 24.  We are seeing a whack of 
> attempts to connect on various ports ranging between 20000 and 50000.
>
> We have no idea how this person has managed to gain some form 
> of access to these servers and are obviously quite concerned. 
>  The filename of the software that is responsible we believe 
> to be msudb32.exe
>
> Does this ring a bell to anyone by chance?  A google shows 
> only one response via newsgroups and no remedy.
>
> Thanks,
>
> ---
> Paul Stewart
> Network Solutions Specialist
> Nexicom Inc.
> http://www.nexicom.net/
> (705)932-4127 Office
> (705)932-2329 Fax