Suspicious File

GovernmentSecurity.org > System Security > Windows Systems

Titus

May 23 2005, 01:56 PM

Hello there.As everyday I was checking my comp. for script kiddies files etc.[I'm running mysql server]Ive found this file: *DELETED*.Seams that it was packed by EZIP 1.0 and its propably Serv-U modded version [I installed it as a service and later saw it running after reboot]. Strange thing is that it runs on port 21 everytime and it disturbes me because I am running FTP too:
Connecting to localhost
Connected to localhost -> IP=localhost PORT=21
220 Unauthorized login attempts are logged.
USER sociald
331 Command Okay
PASS (hidden)
530 Connection Lost
Anoyone could help me to find out what file initiates running it on port 21 ? I tried to unpack it but with no success. Thanks in advance

belgther

May 23 2005, 02:14 PM

normally, if you have an FTP server running, then the FTP port cannot be occupied by another program. The socket used by your FTP server should be destroyed to make that port bind and listen.
If you think that the file is suspicious, then rename it first. If everything runs fine, and the file is really a malicious file, then you can delete it.
As far as I know, Internet Explorer EXE file is not packed at all. So the file could be malicious. Set up a vmware system to analyze it, run a sniffer there. But as I see, without analyzing it, the file is malicious.

Partizaan

May 23 2005, 02:54 PM

What size is the file ?

Check for additional files like the ini file or the TzoLibr.dll

Titus

May 23 2005, 03:23 PM

ive posted a link to it in a post above.Its 1.28 mb

dont-staY

May 23 2005, 04:08 PM

I've checked it with Jotti's malware scan. Here are the results :

user posted image

Seems to be a modded Serv-U version. I think you can unpack EZIP with the PID Generic Unpacker Plugin (http://peid.has.it/)
I will run this file on my VMWare box and post the results here tomorrow

andydis

May 23 2005, 04:22 PM

http://sandbox.norman.no/live_4.html

submitt here

nuorder

May 23 2005, 07:52 PM

The republika link is down. Wouldnt it be easier to upload it here?

Edited.
Its up now

Titus

May 24 2005, 09:07 AM

@dont-staY thx for help dude. ive been looking for it

greetz

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Suspicious File GovernmentSecurity.org > System Security > Windows Systems Titus May 23 2005, 01:56 PM Hello there.As everyday I was checking my comp. for script kiddies files etc.[I'm running mysql server]Ive found this file: DELETED.Seams that it was packed by EZIP 1.0 and its propably Serv-U modded version [I installed it as a service and later saw it running after reboot]. Strange thing is that it runs on port 21 everytime and it disturbes me because I am running FTP too: Connecting to localhost Connected to localhost -> IP=localhost PORT=21 220 Unauthorized login attempts are logged. USER sociald 331 Command Okay PASS (hidden) 530 Connection Lost Anoyone could help me to find out what file initiates running it on port 21 ? I tried to unpack it but with no success. Thanks in advance belgther May 23 2005, 02:14 PM normally, if you have an FTP server running, then the FTP port cannot be occupied by another program. The socket used by your FTP server should be destroyed to make that port bind and listen. If you think that the file is suspicious, then rename it first. If everything runs fine, and the file is really a malicious file, then you can delete it. As far as I know, Internet Explorer EXE file is not packed at all. So the file could be malicious. Set up a vmware system to analyze it, run a sniffer there. But as I see, without analyzing it, the file is malicious. Partizaan May 23 2005, 02:54 PM What size is the file ? Check for additional files like the ini file or the TzoLibr.dll Titus May 23 2005, 03:23 PM ive posted a link to it in a post above.Its 1.28 mb dont-staY May 23 2005, 04:08 PM I've checked it with Jotti's malware scan. Here are the results : Seems to be a modded Serv-U version. I think you can unpack EZIP with the PID Generic Unpacker Plugin (http://peid.has.it/) I will run this file on my VMWare box and post the results here tomorrow andydis May 23 2005, 04:22 PM http://sandbox.norman.no/live_4.html submitt here nuorder May 23 2005, 07:52 PM The republika link is down. Wouldnt it be easier to upload it here? Edited. Its up now Titus May 24 2005, 09:07 AM @dont-staY thx for help dude. ive been looking for it greetz This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.