Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Security Alert???
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 6 Dec 2002 12:00:37 -0600

Sounds like your computer might have been tagged.  Taggers look for
machines that they can install FTP servers on so that they can share
their warez; games, movies, dvds, etc.  They usually use ServUFTP and
rename it svchost.exe, because that's a common Windows service that will
usually have several instances running.  (So, when you look at running
processes, you won't think it's unusual to several several instances of
svchost.exe.)

Look for the following things:

1) kill.exe, pskill.exe, pslist.exe,
servudaemon.ini,firedaemon.exe,nc.exe
2) Unusual folders in the Recycler directory - if you are using a
default copy of Windows, you won't even see that directory in Explorer.
You have to go to Tools/Folder Options/View (in the Explorer menu), and
make sure you have "Show hidden files and folders" selected, "Hide
extension for known file types" UNselected and "Hide protected operating
system files (Recommended)" UNselected.  Then go to the RECYCLER folder
on each drive (C:\RECYCLER, D:\RECYCLER) and look for yellow folders
(instead of the default Recycle Bin folders.)  If you see any yellow
folders, open them up.  You'll probably find lots of "stuff" in there,
which means you have definitely been tagged.
3) A service running that you've never seen before - go to
Administrative Tools/Services and look at the services.  One of them
will be unusual - if you're lucky, they won't have renamed it to make it
look "normal".  If you look at the properties, you'll find that the
actually executable is "svchost.exe".
4) Search for "svchost.exe" on your hard drive.  If you find one that's
486KB in size, that's a renamed copy of ServUFTP.  The MS version is 7 -
13KB, depending upon the version you have.

IF you find that you have been tagged, you need to figure out how they
hacked your computer.  Do you have IIS running?  SQL Server?  Do you
have File Sharing turned on and shared with the Internet with no
firewall?  Did you get a trojan installed on your box?  If you don't
close the hole that allowed them in, you'll just get tagged again.  You
need to stay up to date on patches - that means visit
windowsupdate.microsoft.com WEEKLY.  Make it part of your routine.  If
you have Office installed, you need to visit office.microsoft.com
WEEKLY.  Keep your antivirus up to date WEEKLY.

HTH.

Paul Schmehl (pauls () utdallas edu)
TCS Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


-----Original Message-----
From: Bob Crockett [mailto:bcrocket () texas net] 
Sent: Friday, December 06, 2002 1:38 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Security Alert???


Ok, folks, maybe I just stumbled into a list I don't 
belong in, but kindly indulge me a moment.  Earlier 
today, Norton Firewall lit up, telling me that > 
C:\winnt\system32\svchost.exe
was attempting to access the intenet.  As I had not 
seen this warning before, I elected to block the 
communication.  Then I started some web research. 
After not finding any answer on the Symantec site, I 
found my way here.  So I thought I would ask if anyone 
here knows what this message means.  Please excuse the 
wast of band width, but I would appreciate any help.

Reluctantly,

Bob Crockett

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Security Alert??? Bob Crockett (Dec 06)
    • <Possible follow-ups>
    • RE: Security Alert??? Schmehl, Paul L (Dec 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]