This appears to be an updated/modified BackGate trojan. Similarities are NT4 specific \os2\dll\...\<SRVANY-like tool> \os2\dll\...\<Serv-U FTP Server> \...\<Trojaned Winlogon process>. The Unicode or double-decode attack vector could have changed. Lack of default process isolation on IIS4 allows easy privlege elevation. Tools left behind are similar. <http://www.incidents.org/react/unicode.php> Matt Scarborough 2002-01-08 On Tue, 8 Jan 2002 11:24:52 +0100 (CET), Torbjorn Wictorin wrote: >hello, > >During the last weeks there has been a number of attacks against IIS >servers running under NT. > >Two files are added:: > >%SystemRoot%\System32\os2\dll\srunner.exe probably ServiceInstallertm for Windows NT 4.0 > http://www.kcmultimedia.com/smaster/ > >%SystemRoot%\System32\os2\dll\isystem32.exe FTP-server > >and possibly: > >%SystemRoot%\System32\os2\dll\ServUDaemon.ini >and >c:\temp\Dir.dll och Login.dll > >Infected machines (NT) seems to first have been scanned on IIS >(port 80), then port 2001 (or 2002) and then the files above shows up. > >On port 34 (or 33) there is a ftp server: > > 220 Serv-U FTP Server v3.0 for WinSock ready. > >In the registry one could check: > >SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices >SOFTWARE\Cat Soft\Serv-U >HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services >HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging > > >Is this some commonly known exploit? ____________________________________________________________________ Get free e-mail and a permanent address at http://www.amexmail.com/?A=1 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:31:02 PST