Security Incidents mailing list archives

Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid

From: pj () esec dk
Date: Tue, 27 Aug 2002 12:57:12 +0200


Curt Wilson:

and then restarted IIS. I also came across two unusual instances of
"IIS.EXE" running on high TCP ports (as seen by fport)

3380  iis            ->  15666 TCP   C:\WINNT\SYSTEM32\iis.exe
3380  iis            ->  17890 TCP   C:\WINNT\SYSTEM32\iis.exe


Judging from the banner this is probably the Serv-U FTP server, which is
very popular in the Warez underground. You should search for
ServUDaemon.ini, which contains user accounts and login directories, and
ServUStartupLog.txt, often these files are not renamed.

best regards

Peter Jelver

http://www.esec.dk



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid Netw3 Security Research (Aug 26)
- <Possible follow-ups>
- Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid pj (Aug 27)