What I know about this, is that 'they' use a bug in IIS to get access on the server. Most of the time they will install a serv-u ftp server. And make hidden dirs that cannot be accessed directly by browsing through the directories (dirs like "com1", "lpt1" a.o.)
The file msudb32.exe doesn't ring a bell to me though :( > -----Original Message----- > From: Paul Stewart [mailto:[EMAIL PROTECTED] > Sent: donderdag 20 februari 2003 P 18:57 > To: [EMAIL PROTECTED] > Subject: Windows 2000 Server Attacks > > > Hi there.. > > In the past week we've had a number of Windows 2000 servers > get hit by someone uploading warez into hidden directories. > Software seems to get installed that is trying to make > outbound connections via port 24. We are seeing a whack of > attempts to connect on various ports ranging between 20000 and 50000. > > We have no idea how this person has managed to gain some form > of access to these servers and are obviously quite concerned. > The filename of the software that is responsible we believe > to be msudb32.exe > > Does this ring a bell to anyone by chance? A google shows > only one response via newsgroups and no remedy. > > Thanks, > > --- > Paul Stewart > Network Solutions Specialist > Nexicom Inc. > http://www.nexicom.net/ > (705)932-4127 Office > (705)932-2329 Fax >
