Fw: Port 1975 rogue service

From: Dean Farrington (dean@minas-anor.com)
Date: Fri Nov 01 2002 - 09:05:56 PST

Next message: Steven M. Christey: "Re: Port 1975 rogue service"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pubstro (note the term Pubstro Uptime in the readout) is a term used by the
Warez
underground. What you have is an FTP server running on a non standard port
to avoid
detection.
Here is a reference: http://www.esec.dk/pubstro.pdf

This box has most likely been compromised and is being used to distribute
pirated material. Nice that they give you counts of how many people have
logged on and the amount of downloads.

Hope this helps

Dean

-----Original Message-----
From: WIlliam Kintz [mailto:bkintzat_private]
Sent: Thursday, October 31, 2002 1:20 PM
To: incidentsat_private
Subject: Port 1975 rogue service




I have discovered a rogue service of some sort running
on Port 1975 on one of my Win2000 boxes. Connecting to
this port via a telnet gives me the below output.
Anyone have any idea what this is?

TIA,

William J Kintz, CISSP, CCNA

<begin screen capture>

220-A Fire_Fly_808 Production
220-
220-
220-
220-
Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#
9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617
;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_
,Аё&#9617;`&#9617;ёА
220-
220-             [ server time is 15:35:37  ]
220-             [ server date is Thursday 31 October,
2002  ]
220-             [ you are connecting from: XX.XX.XX.XX  ]
220-
220-
Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#
9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617
;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_
,Аё&#9617;`&#9617;ёА
220-
220-             [ server stats  ]
220-             [ pubstro uptime: 4 Days, 13 Hours, 4
Mins  ]
220-             [ leechers 0ver the last 24 hours: 1699  ]
220-             [ leechers logged in: 1783  ]
220-             [ current leechers: 2  ]
220-             [ kb leeched: 11550405 kb/s  ]
220-             [ kb filled: 4438567 kb/s  ]
220-             [ hdd freespace: 768.62 kb  ]
220-             [ Average Bandwith used: 40.719  ]
220-             [ Current Bandwith in use: 16.500  ]
220-
220
Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#
9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617
;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;&#9557;
,Аё&#9617;`&#9617;ёА





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steven M. Christey: "Re: Port 1975 rogue service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 02 2002 - 16:43:34 PST