[Dshield] mystery FTP server

Jim Peterson JPeterson at prosol-inc.com
Mon Aug 27 20:34:05 GMT 2001


Hello all,

I am new to this list; please tell me if this in an improper post.

Our Win2000 Server was recently hit by Code Red II, defacing our webpage and
copying the CMD.EXE to the Scripts folder as ROOT.EXE.  I patched the server
and removed the executable, but apparently not before the backdoor was used.


I ran a port scanner on my server and all was normal, except for port 33333.
The data I got back from that port was "HAXX0RED Server 3.0 Ready For
Transfer....."

I Telneted to port 33333 and there it was: a stealthy little session whose
process I could NOT find in Taskman anywhere!  I did HELP and it returned a
list of commands which ended in the line:
214 ----=---- Mysterious Ways Of G0D ----=----

The SYST command returned:
MWuahahahahaha, do you Flash(FXP)?

I downloaded Flash(FXP) and tested it, and I can identify it as a process
and kill it, as I could NOT do with my unwelcome intruder.

I would appreciate any info relating to the origin, mechanics, removal, or
any other info about this.

Jim Peterson, MCSE
System Engineer
Professional Solutions, Inc.
Ph: 317-255-1944 x27
Fx: 317-253-4560




More information about the list mailing list