Re: ftp warez server snake ?

• Previous message: H Carvey: "Re: ftp warez server snake ?"
• In reply to: Andreas Putzo: "ftp warez server snake ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Andreas Putzo" <andreas@inferno.nadir.org>
Date: Tue, 7 Dec 2004 20:30:09 -0500

Most of the rootkits I run into that spread via IRC and shares seem to use
the Serv-U FTP server, for what it's worth. Most all IRC rootkits seem to
answer identd also, there are a million of 'em out there, probably it's a
typical ServU-mIRC modified kit.

----- Original Message -----
From: "Andreas Putzo" <andreas@inferno.nadir.org>
To: <incidents@securityfocus.com>
Sent: Tuesday, December 07, 2004 4:14 PM
Subject: ftp warez server snake ?

> Hello,
>
> today i found an ftp server listening on port 5800 on a windows box.
> Anonymous login is not allowed. I tried a few name/pass combos without
luck.
> I believe, it's a pubstro used for warez, but i don't have physical access
to
> confirm this.
>
> # ftp 194.xx.x.xx 5800
> Connected to 194.xx.x.xx.
> 220 Snake Server
> Name (194.xx.x.xx:root): snake
> 331 User name okay, need password.
> Password:
> 530 Not logged in.
> Login failed.
> Remote system type is habe.
> ftp>
>
> There is also an auth server listening, providing me this:
>
> # nc 194.xx.x.xxx 113
>
> : USERID : UNIX : ekwaxtjm
>
>
> I googled a bit, but found nothing useful.
>
> Anyone recognize this one?
>
>
> regards,
> Andreas
>
>

• Previous message: H Carvey: "Re: ftp warez server snake ?"
• In reply to: Andreas Putzo: "ftp warez server snake ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]