Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

IIS and leech
From: randall perry <randallp () domain-logic com>
Date: Thu, 07 Nov 2002 14:45:00 -0500
Greets.

An IIS box I manage freaked out yesterday.  I initially thought that it came under attack but after digging through 
what was left of the crime scene, it looks like MS is to blame.  The most recent event before the nightmare began was 
at 7pm the night was the creation of c:\program files\WindowsUpdate\wuaudnld.tmp\.  That tells me that an automagic MS 
Windows update is what is the root of trashing that ecommerce box that took all day yesterday to recover (after 2 BSODs 
trashing it to it to the point of not having network connectivity) .

If that wouldn't have happened, I probably would not have found the following:
hum.exe which is really leech ftp server was installed on the box and setup as service to start with the box.  I found 
more than 30 gig of files (movies, MP3s)  were there under 
d:\i386\winnt[some characters]\system32\system32\ and some funny directory names.  The movies were broken into 14meg 
chunks, but had sample avi files in the directory that showed a short clip of what the movie was.

I have no idea how this got planted there by who.  (only the office manager and graphics person are the only ones to 
access the box)

A port scan of the box showed the following ports open
          |___    21  [ftp]   File Transfer [Control]
        |___    25  [smtp]   Simple Mail Transfer
        |___    80  [http]   World Wide Web HTTP
        |___   135  [epmap]   DCE endpoint resolution
        |___   389  [ldap]   Lightweight Directory Access Protocol
        |___   433  [nnsp]   NNSP
        |___   443  [https]   https  MCom
        |___   445  [microsoft-ds]   Microsoft-DS
        |___  1025  [blackjack]   network blackjack
        |___  1027  [ICQ]   ICQ?

Although typically network blackjack on port 1025, I can assume that was the leech ftp server controlled through port 
1027.  Anyone else see this?

Randall Perry 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]