Penetration Testing mailing list archives
RE: Anyone know this ?
From: Christophe ROY <christophe.roy-prestataire () laposte fr>
Date: Mon, 22 Mar 2004 08:56:59 +0100
Hello This computer has been hacked by a bad guy from a "FXP Team" named Capricorn, and he installed a Serv-U FTP Server. The low statistics may involve that this computer is too slow for up/down-loading warez things (apps, games, movies and so on, and this is not a hd space problem, 15 gigs is enough), so, as it's still alive, maybe this ftp is used to launch scan threads towards another IP ranges. If you have access rights to this computer, look for a file named servudaemon.ini on the hard disk, this is the config file for Serv-U FTP Server daemon. We can suppose servu has been installed as service too, but as I already seen "renamed" serv-u exe (with an hex editor), it may not be the "Serv-U FTP Server" in services list. Common hack ways used by FXP Team are IIS double-decode vulnerability, low secured password for sa user on MS SQL Server, IPC connection (low password again for a user), etc. Note: FXP is FTP Server to FTP Server transfers, the client (for example you) just send the commands, traffic is directly between the 2 FTP Servers Christophe ROY Security Supervisor La Poste -----Message d'origine----- De : Smith Gary-GSMITH1 [mailto:Gary.R.Smith () motorola com] Envoyé : vendredi 19 mars 2004 18:16 À : 'tester pen'; pen-test () securityfocus com Objet : RE: Anyone know this ? Greetings, Yes, it looks like you have found and FTP server. A pubstro is a high speed, public, distribution network set up for file distribution, probably warez or porn. The "Capricorn" is probably a knock-off of the Serv-U-FTP server. The name may have been changed to protect the guilty. Note the numbers, it's been up for > 37 days and it has had only 95KB uploaded. Obviously not a busy server. It has had no downloads in > 37 days! The server isn't very well publicized with such low statistics. It's got a reasonable amount of space devoted to its use (15GB), what little there is. Regards, Gary Smith -----Original Message----- From: tester pen [mailto:apentester () yahoo com cn] Sent: Friday, March 19, 2004 1:37 AM To: pen-test () securityfocus com Subject: Anyone know this ? hi,all. when i'm doing a pen-test on a win2k server box,i found a port TCP 282 is open,and when i try to telnet it,the response is below: 220-welcome to this capricorn pubstro! 220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...::: ...: ::...: 220-..:: 220-..:: Welcome @ This 220-..:: 220-..:: Capricorn PubStro 220-..:: 220-..:: 3njoy 220-..:: 220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...::: ...: ::...: 220-..:: 220-..:: Rulez: 220-..:: Dont Hammer 220-..:: Dont ReHack 220-..:: Dont Scan This IP Range 220-..:: Dont Delete 220-..:: No Lame One-Word Relies 220-..:: Dont RePost Or Give Infos - That Makes You A Lamer 220-..:: Have Fun 220-..:: 220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...::: ...: ::...: 220-..:: 220-..:: Current Uptime .................: 37 Days, 9 Hours, 26 Minutes, 24 Sec onds 220-..:: Total KB's Uploaded ..........: 94 KB 220-..:: Total KB's Downloaded ......: 0 KB 220-..:: Total File's Uploaded .......: 2 220-..:: Total File's Downloaded .....: 0 220-..:: Average Throughput .......: 0.000 KB/sec 220-..:: Current Bandwith .............: 0.000 KB/sec 220-..:: No Users Logged In .........: 1 220-..:: Max Allowed Users ...........: -1 220-..:: No Total users ................: 1 220-..:: 220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...::: ...: ::...: 220-..:: 220-..:: 15992.90 MB free 220-..:: 1 users connected 220-..:: 0.000 KB/sec is in use 220-..:: 220 ...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...: ::...: 421 Maximum session time exceeded - closing. i googled it,both about "TCP Port 282" & "Capricorn PubStro "(the keyword),but i got nothing :( it looks like a ftp server? 220,421 anyone who recoganize this ? thx. sorry for my poor english. _________________________________________________________ Do You Yahoo!? 完全免费的雅虎电邮,马上注册获赠额外60兆网络存储空间 http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.mail.yahoo.com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Post-scriptum La Poste Ce message est confidentiel. Sous réserve de tout accord conclu par écrit entre vous et La Poste, son contenu ne représente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, même partielle, doit être autorisée préalablement. Si vous n'êtes pas destinataire de ce message, merci d'en avertir immédiatement l'expéditeur.
--------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Anyone know this ? tester pen (Mar 19)
- RE: Anyone know this ? Christian Kopacsi (Mar 19)
- RE: Anyone know this ? Kevin (Mar 19)
- <Possible follow-ups>
- RE: Anyone know this ? Smith Gary-GSMITH1 (Mar 19)
- RE: Anyone know this ? Christophe ROY (Mar 22)