Security Incidents: Re: Trojan of somesort

[Andrew Smith <arse () somethingentertainment co uk>]

> I am presuming this to be the welcome banner for a trojan horse of 
> some sort. Has anybody seen this before or does anybody know anything 
> about it or what Trojan this might be?
This is Serv-u, an FTP Server. It is being run by an FXP Group who will 
have 'cracked' your computer ( probably through some unpatched windows 
hole ), they will either be using it to store + share pirated material ( 
warez ) or scan for other vulnerable computers, depending on your 
internet connect ion / hard drive space.
Check `net start` ( at the command prompt ) or `services.msc` ( from 
run..) for any suspicious services, if they are complete idiots the 
service name will be 'servu'.
Check your task manager for a suspicious .exe file, in the same 
directory as it should be a number of small (a few kb) files, within 
these ( open with notepad ) you should be able to locate other 
directories where the FXP Group will store their 'warez'.
Also run an Anti-Virus scanner to check for any other viruses or 
keyloggers, chances are they have left another way in incase you 
discover the ftpd.
The most likely way they 'cracked' your computer is:
file + print sharing / net bios password cracking ( win 9x )
ms sql server bruteforcing
web dave exploit
dcom/rpc

I reccomend you take a trip to www.windowsupdate.com

Hope this helps,
Andrew Smith.