Chuck Rock wrote Sunday, February 01, 2004 15:09 > One of my stupid Windows servers has been hacked, and was > running Serv-U FTP with a login message of "This Pubstro > Hacked By Mediax!" The quote is probably the sig of the crew or person running the Pubstro (duh). > I found what Pubstro's are, but when searching through the > files in the Serv-U folder, I found this in the install.log > > CoDeX-W0rm has infiltrated the system succesfully! This is often the sig of a customized worm function that ran the initial infection. Script kiddies often take standard kits, modify a few things, and insert their own credit line. The modified kits are often intended to evade anti-virus detection. > I did a search on Yahoo and SecurityFocus, and could not find > any results for this. > > Does anyone have any idea what this worm is, or with the info > I've given you, how they got into my system. This happened > around Dec 27th 2003, and I just found it :-( The worm sounds like a component of a botnet - but you will have to do some more forensics to find out. Botnets can use any means at all to spread themselves, but very common methods are password guessing, RPC exploits, and IIS attacks. Check your exposure on that server and examine your logs to see if you might be (or have been) vulnerable to one of those methods. There are zillions (an unspecified large number) of variations of at least dozens of basic botnet kits that script kiddies can use. Once your system has been owned by the worm component of the botnet, you will often find an IRC control channel client such as a renamed mIRC. The IRC client's configuration file often contains the worm component as well if you can decipher the code. Other common components are keyloggers, proxies. A system compromised that long is likely to have a virtual treasure trove of malware on it, and it may be too late to figure out what came in first. Your logs (firewall, system, router, etc) and your current risk exposure are good places to start, though. Anti-virus companies have been good about adding protection against known variations of botnets. Consider submitting as much of the hostile software as you can find to your favorite vendors. At a minimum include the IRC scripts if they exist.