Real Server Hacks

Gary Flynn flynngn at
Fri Aug 29 14:15:45 GMT 2003

We had two Windows systems running Realserver hacked.
Don't really know how they got in but there have been
reports on the SecurityFocus Incidents list about
a 0-day for RealServer. RealNetworks acknowledged the

The workaround from RealNetworks to prevent the
defect being exploited until they provide a patch
or upgrade is to remove a file. That file was not
present when the Administrator checked for it but
was present on the last backup. I've only taken a
cursory look at one of the systems this morning. It
was running a ServU FTP daemon on port 4555 from
WINNT\system32\pwnd\pkstart.exe. It was placed there
at 10:57 AM on Wednesday August 27.

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list