Security Incidents mailing list archives
Fw: Port 1975 rogue service
From: "Dean Farrington" <dean () minas-anor com>
Date: Fri, 1 Nov 2002 10:05:56 -0700
Pubstro (note the term Pubstro Uptime in the readout) is a term used by the Warez underground. What you have is an FTP server running on a non standard port to avoid detection. Here is a reference: http://www.esec.dk/pubstro.pdf This box has most likely been compromised and is being used to distribute pirated material. Nice that they give you counts of how many people have logged on and the amount of downloads. Hope this helps Dean -----Original Message----- From: WIlliam Kintz [mailto:bkintz () smtp aed org] Sent: Thursday, October 31, 2002 1:20 PM To: incidents () securityfocus com Subject: Port 1975 rogue service I have discovered a rogue service of some sort running on Port 1975 on one of my Win2000 boxes. Connecting to this port via a telnet gives me the below output. Anyone have any idea what this is? TIA, William J Kintz, CISSP, CCNA <begin screen capture> 220-A Fire_Fly_808 Production 220- 220- 220- 220- °ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ&# 9617;`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░ ;`░ñ°,╕_╕,°ñ░`░ñ°,╕_ ,°ñ░`░ñ° 220- 220- [ server time is 15:35:37 ] 220- [ server date is Thursday 31 October, 2002 ] 220- [ you are connecting from: XX.XX.XX.XX ] 220- 220- °ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ&# 9617;`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░ ;`░ñ°,╕_╕,°ñ░`░ñ°,╕_ ,°ñ░`░ñ° 220- 220- [ server stats ] 220- [ pubstro uptime: 4 Days, 13 Hours, 4 Mins ] 220- [ leechers 0ver the last 24 hours: 1699 ] 220- [ leechers logged in: 1783 ] 220- [ current leechers: 2 ] 220- [ kb leeched: 11550405 kb/s ] 220- [ kb filled: 4438567 kb/s ] 220- [ hdd freespace: 768.62 kb ] 220- [ Average Bandwith used: 40.719 ] 220- [ Current Bandwith in use: 16.500 ] 220- 220 °ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ&# 9617;`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░ ;`░ñ°,╕_╕,°ñ░`░ñ°,╕╕ ,°ñ░`░ñ° ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Port 1975 rogue service H C (Oct 31)
- <Possible follow-ups>
- Re: Port 1975 rogue service Christopher E. Cramer (Oct 31)
- Fw: Port 1975 rogue service Dean Farrington (Nov 02)
- Re: Port 1975 rogue service Steven M. Christey (Nov 02)
- RE: Port 1975 rogue service Stacy Olivas (Nov 04)
- Re: Port 1975 rogue service H C (Nov 05)