Re: Attacks against IIS servers using ServU FTP

From: Matt Scarborough (vexversaat_private)
Date: Wed Jan 09 2002 - 07:10:53 PST

  • Next message: Brennan Bakke: "Large ICMP Packets with strange payload"

    This appears to be an updated/modified BackGate trojan. Similarities are
    
    NT4 specific
    \os2\dll\...\<SRVANY-like tool>
    \os2\dll\...\<Serv-U FTP Server>
    \...\<Trojaned Winlogon process>.
    
    The Unicode or double-decode attack vector could have changed. Lack of default
    process isolation on IIS4 allows easy privlege elevation. Tools left behind
    are similar.
    <http://www.incidents.org/react/unicode.php>
    
    Matt Scarborough 2002-01-08
    
    On Tue, 8 Jan 2002 11:24:52 +0100 (CET), Torbjorn Wictorin wrote:
    
    >hello,
    >
    >During the last weeks there has been a number of attacks against IIS
    >servers running under NT.
    >
    >Two files are added::
    >
    >%SystemRoot%\System32\os2\dll\srunner.exe 	probably ServiceInstallertm for
    Windows NT 4.0
    >						http://www.kcmultimedia.com/smaster/
    >
    >%SystemRoot%\System32\os2\dll\isystem32.exe	FTP-server
    >
    >and possibly:
    >
    >%SystemRoot%\System32\os2\dll\ServUDaemon.ini
    >and
    >c:\temp\Dir.dll och Login.dll
    >
    >Infected machines (NT) seems to first have been scanned on IIS
    >(port 80), then port 2001 (or 2002) and then the files above shows up.
    >
    >On port 34 (or 33) there is a ftp server:
    >
    >	220 Serv-U FTP Server v3.0 for WinSock ready.
    >
    >In the registry one could check:
    >
    >SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    >SOFTWARE\Cat Soft\Serv-U
    >HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
    >HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TestService
    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogging
    >
    >
    >Is this some commonly known exploit?
    
    ____________________________________________________________________
    Get free e-mail and a permanent address at http://www.amexmail.com/?A=1
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:31:02 PST