backdoor.servu-based

Discussion in 'malware problems & news' started by Ribo, Jan 16, 2006.

Thread Status:
Not open for further replies.
  1. Ribo

    Ribo Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    11
    We have a 2000 server I was looking at the other day(while updating norton corporate) and I noticed servudaemon.exe running as a service off the root of c. We do not run anything off the root of c so I scanned it with norton. Norton didn't find anything so I loaded ewido and it tagged it as backdoor.servu-based. I gather its some sort of ftp server software. Anyway, I disabled the service and let ewido remove it. I then ran rootkit revealer and checked the recycle bin for a hidden ftp site. I can't find anything wrong or out of the ordinary other than this service running off the root of c.

    1)Why didn't Norton pick it up?
    2)Do I need to be concerned since I didn't find anything else? There was an ini file with the .exe file but I am unsure as to what it means. This is it as follows:None of the directories referenced in homedir exist.
    [GLOBAL]
    Version=6.0.0.2
    ProcessID=2488
    [DOMAINS]
    Domain1=0.0.0.0||9636|stro|1|0|0
    [Domain1]
    User1=yurex|1|0
    User2=up|1|0
    User3=ftpmaniac|1|0
    SignOn=c:\WINDOWS\dll\loginfo.txt
    SQLListAll=
    SQLListName=
    SQLListSort=
    SQLDelete=
    SQLInsert=
    SQLUpdate=
    ReplyHello=YuReX PresenTe :
    ReplyNoAnon=Stop logg toi avant
    ReplyTooMany=Trop de peuple resaie encore
    ReplyDown=Down revienez plus tard
    ReplyOffline=Le serveur est temporairement fermer revenez plus tard
    MaxNrUsers=3
    User4=over2|1|0
    User5=up2|1|0
    User6=par|1|0
    RatioFree1=C:\
    RatioFree2=D:\
    RatioFree3=E:\
    RatioFree4=F:\
    RatioFree5=G:\

    Password=hzAF65B47EA5D7E0E6FBE6B5CC25821FDC
    HomeDir=c:\
    TimeOut=3600
    Maintenance=System
    Access1=G:\|RWAMELCDP
    Access2=d:\|RWAMELCDP
    Access3=d:\|RWAMELCDP
    Access4=D:\|RWAMELCDP
    Access5=F:\|RWAMELCDP
    Access6=e:\|RWAMELCDP
    Access7=c:\|RWAMELCDP

    Password=ulEE976AD82C153D0DADB80BF3D5BE7F77
    HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\dll
    RelPaths=1
    TimeOut=1200
    Access1=F:\backupbrspodpl01\WINNT\SYSVOL\DATA\dll|RWAMELCDP
    Access2=d:\|RWAMELCDP

    Password=vn9AD6385218DABBEC6C0B0A85A14962ED
    HomeDir=d:\Lotus\Domino\Data\modems\data\dl
    RelPaths=1
    TimeOut=600
    Access1=d:\Lotus\Domino\Data\modems\data\dl|RWAMELCDP

    Password=le970297A758078469759ED077F288CE81
    HomeDir=d:\lotus\domino\data\modems\data\dl
    RelPaths=1
    MaxUsersLoginPerIP=1
    TimeOut=300
    Access1=d:\Lotus\Domino\Data\modems\data\dl|RLP

    Password=oe9241BF4F6A25F55814952CF13BFF7176
    HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\etoile
    RelPaths=1
    TimeOut=600
    Access1=f:\backupbrspodpl01\winnt\sysvol\data\etoile|RWAMLCDP

    Password=fcE119288B197A518D11751642E12B4CBA
    HomeDir=f:\backupbrspodpl01\winnt\sysvol\data\dll
    RelPaths=1
    TimeOut=600
    Access1=F:\backupbrspodpl01\WINNT\SYSVOL\DATA\dll|RLP

    3)I also found a file off the root called superlol.exe but couldn't find anything about it and it was not running. Any other programs you guys would suggest running?
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi

    this seems as there is a rootkit hidden ftp server running
    as why norton does not pick it up, servU is a legit application.. they would pick up a lot of support emails from system admins that use servU

    i suggest running trojan hunter on the infected system

    http://www.misec.net
     
Loading...
Thread Status:
Not open for further replies.