Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAV finds trojan in Serv-U ini file ?

Status
Not open for further replies.

LeBlatt

Programmer
Mar 20, 2002
32
FR
Since last night, symantec AV corporate quarantined the .ini file for Serv-U ftp server on 2 of my systems, pretending there is a backdoor.trojan in it.

Anyone has experienced this ?
 
Well, NAV still finds imaginary viruses in the file. I excluded the serv-u system folder and all is fine.
 
did you actually install serv-u on the server?

~ K.I.S.S - Don't make it any more complex than it has to be ~
 
yes, its been there for years. NAV was installed in november IMS.
 
You really don't want to ignore any virus warning... What virus is being reported?

For example, the old opaserv virus overwrites the win.ini file on any computer system and unless the win.ini file is deleted, the virus will reinfect immediately.



~ K.I.S.S - Don't make it any more complex than it has to be ~
 
I have a thought : since serv-u encrypts account passwords in the .ini, such as "hi9E83858DF661F5573541BEC60905AE38", could there be any possibility that an encrypted password matches a virus signature ?
 
is this a new installation of norton? if not, you say that serv-u has been there for years... what would make norton pick up your .ini file all of a sudden?

~ K.I.S.S - Don't make it any more complex than it has to be ~
 
not a reinstall, it happened just after an update.

If you want to try for yourself, paste this in notepad and save to disk :

[GLOBAL]
Version=4.0.0.4
RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASgAAA0XVDzwQJwIQCFJlYUxJc1R5BFJlYUw=
BlockAntiTimeOut=1
PacketTimeOut=120
AntiHammer=1
AntiHammerBlock=1800
MaxNrUsers=16
AntiHammerWindow=60
BlockFTPBounceAttack=1
OpenFilesDownloadMode=Exclusive
AntiHammerTries=6
LocalSetupPassword=50284C46
ProcessID=1444
[DOMAINS]
Domain1=0.0.0.0|193.252.48.65|21|thor|1|0
[Domain1]
User1=admin|1|0
User2=kireli|1|0
Logfile=C:\serv-u.ftp\log\%Y-%N.log
LogFileRotation=Monthly
Logging=1
SignOn=C:\serv-u.ftp\setup\signon.txt
SignOff=C:\serv-u.ftp\setup\signoff.txt
User3=polaroid|1|0
User4=sages|1|0
LogIPNames=1
LogFileIPNames=1
User5=spindal|1|0
User6=lexel|1|0
User7=KL01|1|0
LogFTPCommands=1
LogFileFTPCommands=1
LogFTPReplies=1
User8=sirus|1|0

Password=hsDD16E1298D7B0BAC61FAD1B51CB23092
HomeDir=c:\serv-u.ftp\kireli
RelPaths=1
HideHidden=1
AlwaysAllowLogin=1
TimeOut=600
MaxNrUsers=5
Note1="Wizard generated account"
Access1=c:\serv-u.ftp\kireli|RWAMLCDP
[USER=sages|1]
Password=kk76EF9DABE69E183DA5B09BF9A95BBE85
HomeDir=c:\serv-u.ftp\sages
RelPaths=1
TimeOut=600
Access1=c:\serv-u.ftp\sages|RWAMLCDP
[USER=polaroid|1]
Password=ty870F20714CE0DACE3EEA17AAC95077BA
HomeDir=c:\serv-u.ftp\polaroid
RelPaths=1
HideHidden=1
AlwaysAllowLogin=1
ChangePassword=1
TimeOut=600
Access1=C:\serv-u.ftp\polaroid|RWAMLCDP
[USER=spindal|1]
Password=nc72A5F5CC0B464794CCAA73254FDD3AE1
HomeDir=c:\serv-u.ftp\spindal
RelPaths=1
TimeOut=600
Access1=c:\serv-u.ftp\spindal|RWAMLP
[USER=admin|1]
Password=hgA6DD38C9A2521051E18F3B61A180E929
HomeDir=c:TimeOut=600
Maintenance=System
Access1=C:\|RWAMLCDP
Access2=F:\ftp|RWAMLCDP
[USER=lexel|1]
Password=hp9F1748EE1359CC83F2287ED50432D747
HomeDir=c:\serv-u.ftp\lexel
RelPaths=1
AlwaysAllowLogin=1
ChangePassword=1
TimeOut=600
Access1=c:\serv-u.ftp\lexel|RWAMLP
[USER=KL01|1]
Password=hi9E83858DF661F5573541BEC60905AE38
HomeDir=c:\serv-u.ftp\kwiklink
RelPaths=1
TimeOut=600
Access1=c:\serv-u.ftp\kwiklink|WP
[USER=sirus|1]
Password=yo46C44897085135B6C9DFC04E625312D5
HomeDir=c:\serv-u.ftp\sirus
RelPaths=1
TimeOut=600
Access1=c:\serv-u.ftp\sirus|RWAMLCDP
 
hmmm, ok, i've learned something today...

~ K.I.S.S - Don't make it any more complex than it has to be ~
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top