Re: IRC bot?

From: Florian Stark (ai0252_at_umwelt-campus.de)
Date: 09/16/03

  • Next message: Jon Hart: "mysql as a file upload/download vector" 
    Date: Tue, 16 Sep 2003 19:36:19 +0200
To: Bryan Miller <BMiller@sycomtech.com>

    It looks like the modified banner of a ServU ftp deamon. The ServU ftp
    deamon is often used in Windows rootkits. I saw this things quite often
    on systems which are used as warez server by fxp-groups. Inform your
    customer and be aware of rootkits. Good luck!

    Florian Stark - ai0252@umwelt-campus.de - ICQ: 158127137

    Bryan Miller wrote:

    >During a pen test yesterday I came across TCP port 6501. Upon connecting to it via Netcat, I received the following screen:
    >
    >220-W4A BotServ 2.0
    >220-==============================================
    >220-You are Connecting From x.x.x.x
    >220-The Local time is 23:20:03,
    >220-14 users have visited in the last 24 hours.
    >220-This server has been running for
    >220-39 Days, 13 Hours, 28 Mins, 6 Secs
    >220-==============================================
    >220-Amout of Logins Since Server Started: 0 total
    >220-Logged in Users: 1
    >220-Total Kb downloaded: 0 Kb
    >220-Total Kb uploaded: 0 Kb
    >220-Amout of Files downloaded: 0
    >220-Amout of Files uploaded: 0
    >220-Average Speed: 0.000 Kb/sec
    >220-Current Speed: 0.000 Kb/sec
    >220-Free Disk Space: 187.18 MB
    >220 ==============================================
    >
    >Has anyone seen this before? Am I correct in assuming it's some form of IRC bot? If so, how do I talk to it to verify? Does it have some interesting uses?
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

  • Next message: Jon Hart: "mysql as a file upload/download vector"