Security Incidents mailing list archives
Re: Attacks against IIS servers using ServU FTP
From: Matt Scarborough <vexversa () usa net>
Date: 9 Jan 2002 10:10:53 EST
This appears to be an updated/modified BackGate trojan. Similarities are NT4 specific \os2\dll\...\<SRVANY-like tool> \os2\dll\...\<Serv-U FTP Server> \...\<Trojaned Winlogon process>. The Unicode or double-decode attack vector could have changed. Lack of default process isolation on IIS4 allows easy privlege elevation. Tools left behind are similar. <http://www.incidents.org/react/unicode.php> Matt Scarborough 2002-01-08 On Tue, 8 Jan 2002 11:24:52 +0100 (CET), Torbjorn Wictorin wrote:
hello, During the last weeks there has been a number of attacks against IIS servers running under NT. Two files are added:: %SystemRoot%\System32\os2\dll\srunner.exe probably ServiceInstallertm for
Windows NT 4.0
http://www.kcmultimedia.com/smaster/ %SystemRoot%\System32\os2\dll\isystem32.exe FTP-server and possibly: %SystemRoot%\System32\os2\dll\ServUDaemon.ini and c:\temp\Dir.dll och Login.dll Infected machines (NT) seems to first have been scanned on IIS (port 80), then port 2001 (or 2002) and then the files above shows up. On port 34 (or 33) there is a ftp server: 220 Serv-U FTP Server v3.0 for WinSock ready. In the registry one could check: SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices SOFTWARE\Cat Soft\Serv-U HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging Is this some commonly known exploit?
____________________________________________________________________ Get free e-mail and a permanent address at http://www.amexmail.com/?A=1 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Attacks against IIS servers using ServU FTP Torbjorn Wictorin (Jan 08)
- <Possible follow-ups>
- Re: Attacks against IIS servers using ServU FTP Matt Scarborough (Jan 09)