[unisog] Hidden Ftp erver

Wells, Cary cary.wells at ualberta.ca
Tue Jun 22 21:20:26 GMT 2004

Yesterday we became aware of a hidden ftp server on our w2k server.  It's
from the co-fusion group and is running on port 9889.  This machine is fully
patched and has SAV that is updated every 2 hours so I can't figure out how
it got there but that's not the problem.  The problem is I can't find the
executable that is running it.  I found the login message that was in the
recycler directory but scans from the cleaner, symantec,pstpatrol have
turned up nothing out of the ordinary.  I do a netstat -a and I can see it
but if I use FPORT or APORT it doesn't show up although telnetting to it
shows it's alive.  I tried psexec to see what was runnin and stopped
everything imaginable and it still didn't die.  Stopped services running, I
stopped processes and this thing keeps going.  If anyone knows of a way to
find what is running it pleas let me know.

Cary Wells

More information about the unisog mailing list