Security Incidents mailing list archives
Attacks against IIS servers using ServU FTP
From: Torbjorn Wictorin <Torbjorn.Wictorin () its uu se>
Date: Tue, 8 Jan 2002 11:24:52 +0100 (CET)
hello, During the last weeks there has been a number of attacks against IIS servers running under NT. Two files are added:: %SystemRoot%\System32\os2\dll\srunner.exe probably ServiceInstallertm for Windows NT 4.0 http://www.kcmultimedia.com/smaster/ %SystemRoot%\System32\os2\dll\isystem32.exe FTP-server and possibly: %SystemRoot%\System32\os2\dll\ServUDaemon.ini and c:\temp\Dir.dll och Login.dll Infected machines (NT) seems to first have been scanned on IIS (port 80), then port 2001 (or 2002) and then the files above shows up. On port 34 (or 33) there is a ftp server: 220 Serv-U FTP Server v3.0 for WinSock ready. In the registry one could check: SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices SOFTWARE\Cat Soft\Serv-U HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging Is this some commonly known exploit? Torbjörn Wictorin, Uppsala university, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Attacks against IIS servers using ServU FTP Torbjorn Wictorin (Jan 08)
- <Possible follow-ups>
- Re: Attacks against IIS servers using ServU FTP Matt Scarborough (Jan 09)