hello, During the last weeks there has been a number of attacks against IIS servers running under NT. Two files are added:: %SystemRoot%\System32\os2\dll\srunner.exe probably ServiceInstallertm for Windows NT 4.0 http://www.kcmultimedia.com/smaster/ %SystemRoot%\System32\os2\dll\isystem32.exe FTP-server and possibly: %SystemRoot%\System32\os2\dll\ServUDaemon.ini and c:\temp\Dir.dll och Login.dll Infected machines (NT) seems to first have been scanned on IIS (port 80), then port 2001 (or 2002) and then the files above shows up. On port 34 (or 33) there is a ftp server: 220 Serv-U FTP Server v3.0 for WinSock ready. In the registry one could check: SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices SOFTWARE\Cat Soft\Serv-U HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging Is this some commonly known exploit? Torbjörn Wictorin, Uppsala university, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:11:55 PST