From: Florian Stark (ai0252@umwelt-campus.de)
Date: Tue Sep 16 2003 - 13:36:19 EDT
It looks like the modified banner of a ServU ftp deamon. The ServU ftp
deamon is often used in Windows rootkits. I saw this things quite often
on systems which are used as warez server by fxp-groups. Inform your
customer and be aware of rootkits. Good luck!
Florian Stark - ai0252@umwelt-campus.de - ICQ: 158127137
Bryan Miller wrote:
>During a pen test yesterday I came across TCP port 6501. Upon connecting to it via Netcat, I received the following screen:
>
>220-W4A BotServ 2.0
>220-==============================================
>220-You are Connecting From x.x.x.x
>220-The Local time is 23:20:03,
>220-14 users have visited in the last 24 hours.
>220-This server has been running for
>220-39 Days, 13 Hours, 28 Mins, 6 Secs
>220-==============================================
>220-Amout of Logins Since Server Started: 0 total
>220-Logged in Users: 1
>220-Total Kb downloaded: 0 Kb
>220-Total Kb uploaded: 0 Kb
>220-Amout of Files downloaded: 0
>220-Amout of Files uploaded: 0
>220-Average Speed: 0.000 Kb/sec
>220-Current Speed: 0.000 Kb/sec
>220-Free Disk Space: 187.18 MB
>220 ==============================================
>
>Has anyone seen this before? Am I correct in assuming it's some form of IRC bot? If so, how do I talk to it to verify? Does it have some interesting uses?
>
>
>
>
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT