Today I spotted a suspicious looking file called login.txt on the c drive of a customers web server. Being the nosey curious type I opened the file and this is what it contained…

Welcome!!!

This server is hacked by This_is_Joepie.
Download with fun and:
DON'T PUBLISH THIS IP ANYWHERE
DON'T REHACK THIS SERVER
DON'T SCAN THIS IP RANGE

Thnx!!!

==========================================
Bandwidth Usage: %ServerKBps KB/sec
Users Connected: %UNow
==========================================
Server Uptime: %ServerDays Days, %ServerHours Hours
==========================================”

I googled This_is_Joepie and, assuming they’re the same person, this seems to be a gaming enthusiast from Holland. I went back to the c drive and ordered the files by last modified date revealing several more interesting files. The most interesting was Servudaemon.ini

[GLOBAL]
Version=3.0.0.17
RegistrationKey=6dYwuCzKYyiSYQm0Hlp0OmDivgW8pyxAM2ZMLSpgg9Ywu+psehNIYwi0Ex4bTweO33ac5V4vRxJZXk8MhblFzGyrF1z1DWbWfzZaVAWW
LocalSetupPassword=45244E5D5D024857420D585F
LocalSetupPortNo=5555
AntiHammer=1
SocketKeepAlive=1
PacketTimeOut=300
BlockAntiTimeOut=1
SocketInlineOOB=1
AntiHammerBlock=1200
AntiHammerWindow=60
SocketRcvBuffer=37376
SocketSndBuffer=37376
BlockFTPBounceAttack=1
OpenFilesUploadMode=Shared
ProcessID=1888

[DOMAINS]
Domain1=0.0.0.0||65101|FTP|1

[Domain1]
ReplyTooMany=Too many leechers....try again later m8!
SignOn=c:\login.txt
DirChangeMesFile=cdir.txt
ReplyHello=Welcome to this hacked server by Razorblade
ReplySYST=Guess
LogFileSystemMes=0
LogFileSecurityMes=0
LogFileGETs=0
LogFilePUTs=0
MaxNrUsers=15
ReplyHelp=You don't need help, right?!
ReplyNoAnon=NO ANONYMOUS ACCES!! LEAVE!!!
ReplyOffline=Server is down....
User1=master|1|0
User2=leechers|1|0
DirChangeMesFile2=cdir.txt

[USER=master|1]
Password=ts20A63ADD1C5CC3D10C6BCF25C6C7D3C8
HomeDir=c:\
AlwaysAllowLogin=1
ChangePassword=1
TimeOut=600
Maintenance=System
Access1=c:\|RWAMELCDP
Access2=f:\|RWAMELCDP
Access3=d:\|RWAMELCDP
Access4=e:\|RWAMELCDP
Access5=h:\|RWAMELCDP
Access6=g:\|RWAMELCDP
Access7=m:\|RWAMELCDP
Access8=i:\|RWAMELCDP
Access9=h:\|RWAMELCDP

[USER=leechers|1]
Password=gn27FD3D071B1D3F0D55F158DDA003B76C
HomeDir=f:\server
RelPaths=1
HideHidden=1
MaxUsersLoginPerIP=1
TimeOut=600
Access1=f:\server|RLP

Now I guess this person was running some kind of Warez ftp server. I couldn’t locate any services running on the ports mentioned above or any dodgy looking files on the server. Do hackers clean up after themselves? The worrying thing is the the last modified date on these files was back at the start of 2002!