We have a 2000 server I was looking at the other day(while updating norton corporate) and I noticed servudaemon.exe running as a service off the root of c. We do not run anything off the root of c so I scanned it with norton. Norton didn't find anything so I loaded ewido and it tagged it as backdoor.servu-based. I gather its some sort of ftp server software. Anyway, I disabled the service and let ewido remove it. I then ran rootkit revealer and checked the recycle bin for a hidden ftp site. I can't find anything wrong or out of the ordinary other than this service running off the root of c.
1)Why didn't Norton pick it up?
2)Do I need to be concerned since I didn't find anything else? There was an ini file with the .exe file but I am unsure as to what it means. This is it as follows:None of the directories referenced in homedir exist.
ReplyHello=YuReX PresenTe :
ReplyNoAnon=Stop logg toi avant
ReplyTooMany=Trop de peuple resaie encore
ReplyDown=Down revienez plus tard
ReplyOffline=Le serveur est temporairement fermer revenez plus tard
3)I also found a file off the root called superlol.exe but couldn't find anything about it and it was not running. Any other programs you guys would suggest running?
this seems as there is a rootkit hidden ftp server running
as why norton does not pick it up, servU is a legit application.. they would pick up a lot of support emails from system admins that use servU
i suggest running trojan hunter on the infected system
a proud supporter of THE GLORIOUS REDS
To Ride, Shoot Straight And Speak TheTruth
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|