Security Incidents mailing list archives
Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid
From: pj () esec dk
Date: Tue, 27 Aug 2002 12:57:12 +0200
Curt Wilson:
and then restarted IIS. I also came across two unusual instances of "IIS.EXE" running on high TCP ports (as seen by fport)
3380 iis -> 15666 TCP C:\WINNT\SYSTEM32\iis.exe 3380 iis -> 17890 TCP C:\WINNT\SYSTEM32\iis.exe
Judging from the banner this is probably the Serv-U FTP server, which is very popular in the Warez underground. You should search for ServUDaemon.ini, which contains user accounts and login directories, and ServUStartupLog.txt, often these files are not renamed. best regards Peter Jelver http://www.esec.dk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid Netw3 Security Research (Aug 26)
- <Possible follow-ups>
- Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid pj (Aug 27)