Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid

From: pjat_private
Date: Tue Aug 27 2002 - 03:57:12 PDT

  • Next message: Mike Parkin: "Re: Trojan? DDOS Bot?"

    Curt Wilson:
    >and then restarted IIS. I also came across two unusual instances of
    >"IIS.EXE" running on high TCP ports (as seen by fport)
    >3380  iis            ->  15666 TCP   C:\WINNT\SYSTEM32\iis.exe
    >3380  iis            ->  17890 TCP   C:\WINNT\SYSTEM32\iis.exe
    Judging from the banner this is probably the Serv-U FTP server, which is
    very popular in the Warez underground. You should search for
    ServUDaemon.ini, which contains user accounts and login directories, and
    ServUStartupLog.txt, often these files are not renamed.
    best regards
    Peter Jelver
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 11:36:40 PDT