Re: Compromised Win2000 machine.

From: ghb the irrepressible (
Date: 05/29/02

Date: 29 May 2002 03:42:17 -0000
From: ghb the irrepressible <>

('binary' encoding is not supported, stored as-is) In-Reply-To: <>


This post is a perfect example of current script kiddy
trends. If you join any of the larger channels on,, and so forth, you will
see that all of the 'leech fserves' in these channels are
compromised windows machines. (usually .edu's).

I would wager that these groups are hacking win2k boxes on
fast networks en-masse.. using something lame and well
known like the Unicode or HTR exploit (for shame!) or
possibly the recent .ASP exploit.

These groups are compiling their own rootkit/backdoors from
well-documented open source utilities such as DSNX
( The main function of these backdoors, as
you have seen, is to provide remote FTP access to the
compromised host (for uploading more 0day warez and DIVX
movies), run an identd server if required, and connect to a
pre-configured IRC network and channel. The server then
acts as an irc Fserve, allowing anyone in the channel to
queue up files to download.

I would also wager that port 99 is a copy of ncx99.exe -
this was used as the default bindport for a couple of win32
exploits (original iishack?) It is a modified version of
nc.exe configured to spawn a cmd.exe shell on port 99. This
simple backdoor is favored by script kiddies and the like
because it does not require any command line arguments.

These groups often advertise their efforts in the channel
topics on - ">100 .edu 100mbit bots! Leech!
Latest releases!' They also advertise "we need couriers,
dumps, carders, rooters (?), coders and rippers - contact

Maybe someone should join these channels, #warez-excell
etc, and scan all the fserve hosts for ports 99 and 4160...
if port 99 is indeed a netcat/cmd.exe backdoor, a script
could be written to mass-patch or disable these IRC bots ;)

They deserve it for being so damn open about their
activites. Warez kids used to have a clue !

i remain


> Today i found a windows machine located in our
dorms that had
>been compromised, but unlike most of the compromised
machines i see come
>out of the dorms the Admin password was actually set and
it was set to
>something other than NULL or Administrator. The attacker
set up 2
>Serv-U ftpd's on the host on high ports 23432 and 65531 to
be exact,
>they also installed a warez eggdrop bot that connects to
the newnet IRC
>Network and servs via the #warez-excell channel.

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: