RE: Strange services.exe file

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 12/11/03

  • Next message: Graeme Fowler: "RE: Strange SNMP probes suddenly appearing"
    Date: Thu, 11 Dec 2003 05:18:56 -0800 (PST)
    To: incidents@securityfocus.com
    
    

    I'd also recommend openports.exe from DiamondCS...it's
    a bit more comprehensive than fport, AND it doesn't
    require an admin account to run.

    --- Josh.Berry@compucom.com wrote:
    > I have seen lots of Trojans that are named
    > services.exe. Many of the
    > have been different variations of Serve-U FTP
    > server. I use fport from
    > foundstone to see what ports the executable is
    > listening on and what
    > servers/ports it is connecting to.
    >
    > -----Original Message-----
    > From: Dano [mailto:dan@thejamzone.com]
    > Sent: Monday, December 08, 2003 4:40 PM
    > To: incidents@securityfocus.com
    > Subject: Strange services.exe file
    >
    > Hello, I came across a strange services.exe file in
    > WinXP and don't know
    > how it got there. This services.exe landed in the
    > root
    > c:\windows\services.exe with a hidden attrib flag
    > set. There was also a
    > registry key set at
    > HKLM/software/microsoft/windows/currentversion/run
    > with the value "services C:\WINDOWS\services.exe
    > -i". What it appeared
    > to
    > do was send data back to hosts
    > dhcp-ve3-101.cable.amis.net
    > (212.18.53.101) and um-sd04-907.uni-mb.si
    > (164.8.15.109). I'm stil in
    > progress of disecting this to find out what exactly
    > it does. Does anyone
    > know anything about this?
    >
    > Thanks
    > Dan
    >
    >
    >
    >
    ------------------------------------------------------------------------
    > ---
    >
    ------------------------------------------------------------------------
    > ----
    >
    >
    >
    >
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Graeme Fowler: "RE: Strange SNMP probes suddenly appearing"

    Relevant Pages

    • Re: Port being used but no process owns up to it.
      ... > I have a 2000 server that has had an FTP server installed. ... still launch it by clicking Start, Run and typing in the full path and file ... name where the now hidden file is. ... launch from that command window, such as fport, should be able to see the ...
      (microsoft.public.win2000.security)
    • fport on windows 2003 server
      ... When running on a Windows 2003 Server you must configure FPort to ... Earn your MS in Information Security ONLINE ...
      (Security-Basics)
    • Fport Problem
      ... I recently tried to have someone run FPort on one of their servers, ... funny thing happened. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • Re: 160 open connections!
      ... > A listening tcp port is a _server_, ... According to the Fport readme.txt: ...
      (comp.security.firewalls)