Attacks against IIS servers using ServU FTP

From: Torbjorn Wictorin (Torbjorn.Wictorinat_private)
Date: Tue Jan 08 2002 - 02:24:52 PST

  • Next message: Calhoun, Heath: "port 20480"

    hello,
    
    During the last weeks there has been a number of attacks against IIS
    servers running under NT.
    
    Two files are added::
    
    %SystemRoot%\System32\os2\dll\srunner.exe 	probably ServiceInstallertm for Windows NT 4.0
    						http://www.kcmultimedia.com/smaster/
    
    %SystemRoot%\System32\os2\dll\isystem32.exe	FTP-server
    
    and possibly:
    
    %SystemRoot%\System32\os2\dll\ServUDaemon.ini
    and
    c:\temp\Dir.dll och Login.dll
    
    Infected machines (NT) seems to first have been scanned on IIS
    (port 80), then port 2001 (or 2002) and then the files above shows up.
    
    On port 34 (or 33) there is a ftp server:
    
    	220 Serv-U FTP Server v3.0 for WinSock ready.
    
    In the registry one could check:
    
    SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    SOFTWARE\Cat Soft\Serv-U
    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging
    
    
    Is this some commonly known exploit?
    
    Torbjörn Wictorin,
    Uppsala university, Sweden
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:11:55 PST