Re: TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid

From: pj@esec.dk
Date: 08/27/02

• Previous message: Janus@etoast.com: "Trojan? DDOS Bot?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: incidents@securityfocus.com
From: pj@esec.dk
Date: Tue, 27 Aug 2002 12:57:12 +0200

Curt Wilson:

>and then restarted IIS. I also came across two unusual instances of
>"IIS.EXE" running on high TCP ports (as seen by fport)

>3380 iis -> 15666 TCP C:\WINNT\SYSTEM32\iis.exe
>3380 iis -> 17890 TCP C:\WINNT\SYSTEM32\iis.exe

Judging from the banner this is probably the Serv-U FTP server, which is
very popular in the Warez underground. You should search for
ServUDaemon.ini, which contains user accounts and login directories, and
ServUStartupLog.txt, often these files are not renamed.

best regards

Peter Jelver

http://www.esec.dk

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Janus@etoast.com: "Trojan? DDOS Bot?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-08