Curt Wilson: >and then restarted IIS. I also came across two unusual instances of >"IIS.EXE" running on high TCP ports (as seen by fport) >3380 iis -> 15666 TCP C:\WINNT\SYSTEM32\iis.exe >3380 iis -> 17890 TCP C:\WINNT\SYSTEM32\iis.exe Judging from the banner this is probably the Serv-U FTP server, which is very popular in the Warez underground. You should search for ServUDaemon.ini, which contains user accounts and login directories, and ServUStartupLog.txt, often these files are not renamed. best regards Peter Jelver http://www.esec.dk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 11:36:40 PDT