[unisog] Mysterious appearance of Backdoor.RA on Win2Kmachines

Jeff Bollinger jeff01 at email.unc.edu
Fri Dec 7 21:22:43 GMT 2001


I don't think so, though there was a trojaned FTP server running on port 6820.

Jeff

Gary Flynn wrote:

> Jeff Bollinger wrote:
> >
> > Yes, we have seen this as well.  Note that the Trojan installs s32.exe and the
> > servuFTP.  No idea though as to how it got in yet.
>
> Jeff,
>
> Do you know if the slave.exe process was listening on the default
> port of 4000?
>
> thanks,
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe

--
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc.edu




More information about the unisog mailing list