|
|
#1
January 16th, 2006, 05:01 PM
|
|||
|
|||
backdoor.servu-based
We have a 2000 server I was looking at the other day(while updating norton corporate) and I noticed servudaemon.exe running as a service off the root of c. We do not run anything off the root of c so I scanned it with norton. Norton didn't find anything so I loaded ewido and it tagged it as backdoor.servu-based. I gather its some sort of ftp server software. Anyway, I disabled the service and let ewido remove it. I then ran rootkit revealer and checked the recycle bin for a hidden ftp site. I can't find anything wrong or out of the ordinary other than this service running off the root of c.
1)Why didn't Norton pick it up? 2)Do I need to be concerned since I didn't find anything else? There was an ini file with the .exe file but I am unsure as to what it means. This is it as follows:None of the directories referenced in homedir exist. [GLOBAL] Version=6.0.0.2 ProcessID=2488 [DOMAINS] Domain1=0.0.0.0||9636|stro|1|0|0 [Domain1] User1=yurex|1|0 User2=up|1|0 User3=ftpmaniac|1|0 SignOn=c:\WINDOWS\dll\loginfo.txt SQLListAll= SQLListName= SQLListSort= SQLDelete= SQLInsert= SQLUpdate= ReplyHello=YuReX PresenTe : ReplyNoAnon=Stop logg toi avant ReplyTooMany=Trop de peuple resaie encore ReplyDown=Down revienez plus tard ReplyOffline=Le serveur est temporairement fermer revenez plus tard MaxNrUsers=3 User4=over2|1|0 User5=up2|1|0 User6=par|1|0 RatioFree1=C:\ RatioFree2=D:\ RatioFree3=E:\ RatioFree4=F:\ RatioFree5=G:\ [USER=yurex|1] Password=hzAF65B47EA5D7E0E6FBE6B5CC25821FDC HomeDir=c:\ TimeOut=3600 Maintenance=System Access1=G:\|RWAMELCDP Access2=d:\|RWAMELCDP Access3=d:\|RWAMELCDP Access4=D:\|RWAMELCDP Access5=F:\|RWAMELCDP Access6=e:\|RWAMELCDP Access7=c:\|RWAMELCDP [USER=up|1] Password=ulEE976AD82C153D0DADB80BF3D5BE7F77 HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\dll RelPaths=1 TimeOut=1200 Access1=F:\backupbrspodpl01\WINNT\SYSVOL\DATA\dll|RWAMELCDP Access2=d:\|RWAMELCDP [USER=up2|1] Password=vn9AD6385218DABBEC6C0B0A85A14962ED HomeDir=d:\Lotus\Domino\Data\modems\data\dl RelPaths=1 TimeOut=600 Access1=d:\Lotus\Domino\Data\modems\data\dl|RWAMELCDP [USER=ftpmaniac|1] Password=le970297A758078469759ED077F288CE81 HomeDir=d:\lotus\domino\data\modems\data\dl RelPaths=1 MaxUsersLoginPerIP=1 TimeOut=300 Access1=d:\Lotus\Domino\Data\modems\data\dl|RLP [USER=par|1] Password=oe9241BF4F6A25F55814952CF13BFF7176 HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\etoile RelPaths=1 TimeOut=600 Access1=f:\backupbrspodpl01\winnt\sysvol\data\etoile|RWAMLCDP [USER=over2|1] Password=fcE119288B197A518D11751642E12B4CBA HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\dll RelPaths=1 TimeOut=600 Access1=F:\backupbrspodpl01\WINNT\SYSVOL\DATA\dll|RLP 3)I also found a file off the root called superlol.exe but couldn't find anything about it and it was not running. Any other programs you guys would suggest running? |
|
#2
January 22nd, 2006, 10:06 AM
|
||||
|
||||
|
Re: backdoor.servu-based
hi
this seems as there is a rootkit hidden ftp server running as why norton does not pick it up, servU is a legit application.. they would pick up a lot of support emails from system admins that use servU i suggest running trojan hunter on the infected system http://www.misec.net
__________________
a proud supporter of THE GLORIOUS REDS To Ride, Shoot Straight And Speak TheTruth |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
