iissrvs2.exe?

From: Rob Baxter (rob@microjuris.com)
Date: 04/23/02 

From: rob@microjuris.com (Rob Baxter)
Date: 22 Apr 2002 17:09:30 -0700

Hello,

I made the rather nasty discovery this afternoon that were/are several
backdoor and scanning tools running on one of my servers (NT4). One of
them seems to a legitimate security tool (xscan.exe from XFocus
http://www.xfocus.org/programs.php). However, how it came to be
running on this system I do not know. From the xscan log files, it
seems someone is using this box to collect a list of other vulnerable
servers.

In addition there are several new executables which I do not
recognize. One of them is IISSRVS2.EXE for which I can find no
information. It has installed itself in the WINNT dir and is running
as a service called WindowsUpdate using the AppToService.exe utility
from Basta Software. This utility was also installed on the server
without my knowledge.

Has anyone else ever heard of of this particular executable? I have no
idea what it is doing.

This attack seems to have delivered several sneaky utilities
(including rc.exe). I've never heard (and have been unable to find)
anything about such a combination. Any information, particulary info
on how the box was compromised, would be greatly appreciated.

I suspect RemotelyAnywhere as somehow being involved because there are
5-6 instances of TSClient.exe which remain in memory and I cannot kill
them. For the moment I have killed as many "foreign" processes and
services as I am able to. Unfortunately I cannot take this box offline
just yet so it has to stay up and running for the time being.

Obviously I'm not a security expert or even a sysadmin (though I'm
wearing that hat at the moment). I'm not even really sure where to
begin with this mess so if I have neglected any important information
please let me know.

</rob>

Relevant Pages