Security Incidents mailing list archives

Attacks against IIS servers using ServU FTP

From: Torbjorn Wictorin <Torbjorn.Wictorin () its uu se>
Date: Tue, 8 Jan 2002 11:24:52 +0100 (CET)

hello,

During the last weeks there has been a number of attacks against IIS
servers running under NT.

Two files are added::

%SystemRoot%\System32\os2\dll\srunner.exe       probably ServiceInstallertm for Windows NT 4.0
                                                http://www.kcmultimedia.com/smaster/

%SystemRoot%\System32\os2\dll\isystem32.exe     FTP-server

and possibly:

%SystemRoot%\System32\os2\dll\ServUDaemon.ini
and
c:\temp\Dir.dll och Login.dll

Infected machines (NT) seems to first have been scanned on IIS
(port 80), then port 2001 (or 2002) and then the files above shows up.

On port 34 (or 33) there is a ftp server:

        220 Serv-U FTP Server v3.0 for WinSock ready.

In the registry one could check:

SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SOFTWARE\Cat Soft\Serv-U
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging


Is this some commonly known exploit?

Torbjörn Wictorin,
Uppsala university, Sweden


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Attacks against IIS servers using ServU FTP Torbjorn Wictorin (Jan 08)
- <Possible follow-ups>
- Re: Attacks against IIS servers using ServU FTP Matt Scarborough (Jan 09)