RE: Anyone know this ?

From: Christophe ROY (christophe.roy-prestataire_at_laposte.fr)
Date: 03/22/04

  • Next message: Eric McCarty: "RE: Email Pen-testing" 
    Date: Mon, 22 Mar 2004 08:56:59 +0100
To: 'Smith Gary-GSMITH1' <Gary.R.Smith@motorola.com>

    Hello

    This computer has been hacked by a bad guy from a "FXP Team" named Capricorn, and he installed a Serv-U FTP Server. The low statistics may involve that this computer is too slow for up/down-loading warez things (apps, games, movies and so on, and this is not a hd space problem, 15 gigs is enough), so, as it's still alive, maybe this ftp is used to launch scan threads towards another IP ranges.
    If you have access rights to this computer, look for a file named servudaemon.ini on the hard disk, this is the config file for Serv-U FTP Server daemon. We can suppose servu has been installed as service too, but as I already seen "renamed" serv-u exe (with an hex editor), it may not be the "Serv-U FTP Server" in services list.
    Common hack ways used by FXP Team are IIS double-decode vulnerability, low secured password for sa user on MS SQL Server, IPC connection (low password again for a user), etc.

    Note: FXP is FTP Server to FTP Server transfers, the client (for example you) just send the commands, traffic is directly between the 2 FTP Servers

    Christophe ROY
    Security Supervisor
    La Poste

    -----Message d'origine-----
    De : Smith Gary-GSMITH1 [mailto:Gary.R.Smith@motorola.com]
    Envoyé : vendredi 19 mars 2004 18:16
    À : 'tester pen'; pen-test@securityfocus.com
    Objet : RE: Anyone know this ?

    Greetings,

    Yes, it looks like you have found and FTP server. A pubstro is a high speed,
    public, distribution network set up for file distribution, probably warez or
    porn. The "Capricorn" is probably a knock-off of the Serv-U-FTP server. The
    name may have been changed to protect the guilty. Note the numbers, it's
    been up for > 37 days and it has had only 95KB uploaded. Obviously not a
    busy server. It has had no downloads in > 37 days! The server isn't very
    well publicized with such low statistics. It's got a reasonable amount of
    space devoted to its use (15GB), what little there is.

    Regards,

    Gary Smith

    -----Original Message-----
    From: tester pen [mailto:apentester@yahoo.com.cn]
    Sent: Friday, March 19, 2004 1:37 AM
    To: pen-test@securityfocus.com
    Subject: Anyone know this ?

    hi,all.
    when i'm doing a pen-test on a win2k server box,i
    found a port TCP 282
    is open,and when i try to telnet it,the response is
    below:
     
    220-welcome to this capricorn pubstro!
    220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
    ...:
    ::...:
    220-..::
    220-..:: Welcome @ This
    220-..::
    220-..:: Capricorn PubStro
    220-..::
    220-..:: 3njoy
    220-..::
    220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
    ...:
    ::...:
    220-..::
    220-..:: Rulez:
    220-..:: Dont Hammer
    220-..:: Dont ReHack
    220-..:: Dont Scan This IP Range
    220-..:: Dont Delete
    220-..:: No Lame One-Word Relies
    220-..:: Dont RePost Or Give Infos - That Makes You A
    Lamer
    220-..:: Have Fun
    220-..::
    220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
    ...:
    ::...:
    220-..::
    220-..:: Current Uptime .................: 37 Days, 9
    Hours, 26
    Minutes, 24 Sec
    onds
    220-..:: Total KB's Uploaded ..........: 94 KB
    220-..:: Total KB's Downloaded ......: 0 KB
    220-..:: Total File's Uploaded .......: 2
    220-..:: Total File's Downloaded .....: 0
    220-..:: Average Throughput .......: 0.000 KB/sec
    220-..:: Current Bandwith .............: 0.000 KB/sec
    220-..:: No Users Logged In .........: 1
    220-..:: Max Allowed Users ...........: -1
    220-..:: No Total users ................: 1
    220-..::
    220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
    ...:
    ::...:
    220-..::
    220-..:: 15992.90 MB free
    220-..:: 1 users connected
    220-..:: 0.000 KB/sec is in use
    220-..::
    220
    ...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:
    ::...:
    421 Maximum session time exceeded - closing.
     
    i googled it,both about "TCP Port 282" & "Capricorn
    PubStro
    "(the keyword),but i got nothing :(
     
    it looks like a ftp server? 220,421
    anyone who recoganize this ?
     
    thx.
    sorry for my poor english.

    _________________________________________________________
    Do You Yahoo!?
    完全免费的雅虎电邮,马上注册获赠额外60兆网络存储空间
    http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.mail.yahoo.com

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    Post-scriptum La Poste

    Ce message est confidentiel. Sous rserve de tout accord conclu par
    crit entre vous et La Poste, son contenu ne reprsente en aucun cas un
    engagement de la part de La Poste. Toute publication, utilisation ou
    diffusion, mme partielle, doit tre autorise pralablement. Si vous
    n'tes pas destinataire de ce message, merci d'en avertir immdiatement
    l'expditeur.

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------

  • Next message: Eric McCarty: "RE: Email Pen-testing"

    Relevant Pages

    • RE: FTP and ISA setup
      ... Please follow the instruction described on the following KB to enable external clients to access your FTP server. ... Local port: Fixed port ... Change the EnablePortAttack value to 1. ...
      (microsoft.public.windows.server.sbs)
    • Re: Is this a 3-Leg Perimeter scenario?
      ... Do you mean the FTP server is hosted on the ... This newsgroup only focuses on SBS technical issues. ... The detailed network diagram. ...
      (microsoft.public.windows.server.sbs)
    • Re: Microsoft FTP Server problem on W2K?
      ... client (rather than another server, as in proxy transfer), the IP address ... port) currently in use on the control connection. ... >the remote FTP server was, at least at a TCP level, prepared to accept the ...
      (microsoft.public.inetserver.iis.security)
    • Re: How to develop FTP Server On PPC?
      ... FTP server due to licensing restrictions. ... the server portions (there's no FTP client to my knowledge on CE), ... 2003 Microsoft Corporation. ...
      (microsoft.public.windowsce.embedded.vc)
    • RE: Anyone know this ?
      ... A pubstro is a high speed, ... The "Capricorn" is probably a knock-off of the Serv-U-FTP server. ... 220-..:: Dont Hammer ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Pen-Test)