RE: Anyone know this ?

From: Christophe ROY (christophe.roy-prestataire@laposte.fr)
Date: Mon Mar 22 2004 - 02:56:59 EST


Hello

This computer has been hacked by a bad guy from a "FXP Team" named Capricorn, and he installed a Serv-U FTP Server. The low statistics may involve that this computer is too slow for up/down-loading warez things (apps, games, movies and so on, and this is not a hd space problem, 15 gigs is enough), so, as it's still alive, maybe this ftp is used to launch scan threads towards another IP ranges.
If you have access rights to this computer, look for a file named servudaemon.ini on the hard disk, this is the config file for Serv-U FTP Server daemon. We can suppose servu has been installed as service too, but as I already seen "renamed" serv-u exe (with an hex editor), it may not be the "Serv-U FTP Server" in services list.
Common hack ways used by FXP Team are IIS double-decode vulnerability, low secured password for sa user on MS SQL Server, IPC connection (low password again for a user), etc.

Note: FXP is FTP Server to FTP Server transfers, the client (for example you) just send the commands, traffic is directly between the 2 FTP Servers

Christophe ROY
Security Supervisor
La Poste

-----Message d'origine-----
De : Smith Gary-GSMITH1 [mailto:Gary.R.Smith@motorola.com]
Envoyé : vendredi 19 mars 2004 18:16
À : 'tester pen'; pen-test@securityfocus.com
Objet : RE: Anyone know this ?

Greetings,

Yes, it looks like you have found and FTP server. A pubstro is a high speed,
public, distribution network set up for file distribution, probably warez or
porn. The "Capricorn" is probably a knock-off of the Serv-U-FTP server. The
name may have been changed to protect the guilty. Note the numbers, it's
been up for > 37 days and it has had only 95KB uploaded. Obviously not a
busy server. It has had no downloads in > 37 days! The server isn't very
well publicized with such low statistics. It's got a reasonable amount of
space devoted to its use (15GB), what little there is.

Regards,

Gary Smith

-----Original Message-----
From: tester pen [mailto:apentester@yahoo.com.cn]
Sent: Friday, March 19, 2004 1:37 AM
To: pen-test@securityfocus.com
Subject: Anyone know this ?

hi,all.
when i'm doing a pen-test on a win2k server box,i
found a port TCP 282
is open,and when i try to telnet it,the response is
below:
 
220-welcome to this capricorn pubstro!
220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
...:
::...:
220-..::
220-..:: Welcome @ This
220-..::
220-..:: Capricorn PubStro
220-..::
220-..:: 3njoy
220-..::
220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
...:
::...:
220-..::
220-..:: Rulez:
220-..:: Dont Hammer
220-..:: Dont ReHack
220-..:: Dont Scan This IP Range
220-..:: Dont Delete
220-..:: No Lame One-Word Relies
220-..:: Dont RePost Or Give Infos - That Makes You A
Lamer
220-..:: Have Fun
220-..::
220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
...:
::...:
220-..::
220-..:: Current Uptime .................: 37 Days, 9
Hours, 26
Minutes, 24 Sec
onds
220-..:: Total KB's Uploaded ..........: 94 KB
220-..:: Total KB's Downloaded ......: 0 KB
220-..:: Total File's Uploaded .......: 2
220-..:: Total File's Downloaded .....: 0
220-..:: Average Throughput .......: 0.000 KB/sec
220-..:: Current Bandwith .............: 0.000 KB/sec
220-..:: No Users Logged In .........: 1
220-..:: Max Allowed Users ...........: -1
220-..:: No Total users ................: 1
220-..::
220-...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::
...:
::...:
220-..::
220-..:: 15992.90 MB free
220-..:: 1 users connected
220-..:: 0.000 KB/sec is in use
220-..::
220
...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:::...:
::...:
421 Maximum session time exceeded - closing.
 
i googled it,both about "TCP Port 282" & "Capricorn
PubStro
"(the keyword),but i got nothing :(
 
it looks like a ftp server? 220,421
anyone who recoganize this ?
 
thx.
sorry for my poor english.

_________________________________________________________
Do You Yahoo!?
完全免费的雅虎电邮,马上注册获赠额外60兆网络存储空间
http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.mail.yahoo.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Post-scriptum La Poste

Ce message est confidentiel. Sous rserve de tout accord conclu par
crit entre vous et La Poste, son contenu ne reprsente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, mme partielle, doit tre autorise pralablement. Si vous
n'tes pas destinataire de ce message, merci d'en avertir immdiatement
l'expditeur.


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT