"Reptile" server?

[Joel Rubin]

Does anyone know what the server described in Russian at:

http://www.kaldata.com/forums/index.php?s=f8919bf52c63b2ab9c8d06eb69ebe69d&showtopic=6995

is? I think it's some sort of trojan. It looks a bit like an SMTP
server but, as in the description on the Rooski web site, I can't get
the one I'm investigating to take commands.

The one I'm investigating is at 69.30.157.66:21135 and it came to my
attention because I was spammed through it.

It's also listening at 21286. I think there has to be an SMTP server
or some sort of proxy somewhere.

 

[Virus Guy]

The one I'm investigating is at 69.30.157.66:21135
It's also listening at 21286.

I just ran IP-tools port-scanner on that IP (and added port 21286).

It didn't respond to anything (but it does ping).

 

[Joel Rubin]

Does anyone know what the server described in Russian at:

http://www.kaldata.com/forums/index.php?s=f8919bf52c63b2ab9c8d06eb69ebe69d&showtopic=6995

is? I think it's some sort of trojan. It looks a bit like an SMTP
server but, as in the description on the Rooski web site, I can't get
the one I'm investigating to take commands.

The one I'm investigating is at 69.30.157.66:21135 and it came to my
attention because I was spammed through it.

It's also listening at 21286. I think there has to be an SMTP server
or some sort of proxy somewhere.

I found a new reptile server, 61.0.39.6:12010.

 

[Norman L. DeForest]

Does anyone know what the server described in Russian at:

http://www.kaldata.com/forums/index.php?s=f8919bf52c63b2ab9c8d06eb69ebe69d&showtopic=6995

is? I think it's some sort of trojan. It looks a bit like an SMTP
server but, as in the description on the Rooski web site, I can't get
the one I'm investigating to take commands.

The one I'm investigating is at 69.30.157.66:21135 and it came to my
attention because I was spammed through it.

It's also listening at 21286. I think there has to be an SMTP server
or some sort of proxy somewhere.

Reptile is a web server written in Python.

"SourceForge.net: Project Info - Reptile Web Server"
http://sourceforge.net/projects/reptilews

Connections were very slow when I checked (8 minutes to fetch 3KB of a
Google search page with the final rendered page obviously incomplete
with only a couple of links, the latter truncated in mid-description).
(I suspect a DDoS attack against my ISP's ISP or something similar.)
I was able to get a faster (but still sluggish and requiring three
reloads) response with AltaVista:

AltaVista Search: reptile "web server"
http://www.altavista.com/web/results?itag=ody&q=reptile+"web+server"&kgs=1&kls=0

I found two mentions of vulnerabilities affecting the Reptile Server:

BoWare IT Services - Homepage ["Reptile Server", See vulnerability 6.]
http://boware.nl/secfocusartikel/?subject=security&id=144

Reptile Web Server Remote Denial Of Service Vulnerability
http://www.securityfocus.com/bid/9482

This page was also slow to load (10 minutes for 23KB of 52KB was the most
I got from several attempts to load the page -- most attempts froze at the
2KB or 3KB mark) but Reptile Server is also mentioned here:

infoAnarchy || CodeCon: Day 3 ["Reptile Server]
http://www.infoanarchy.org/story/2002/2/26/124447/289