[unisog] Hidden Ftp erver

Julian Y. Koh kohster at northwestern.edu
Tue Jun 22 21:34:27 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 15:20 -0600 06/22/2004, Wells, Cary wrote:
>The problem is I can't find the
>executable that is running it.  I found the login message that was in the
>recycler directory but scans from the cleaner, symantec,pstpatrol have
>turned up nothing out of the ordinary.  I do a netstat -a and I can see it
>but if I use FPORT or APORT it doesn't show up although telnetting to it
>shows it's alive.

Try Microsoft's Port Reporter tool.  We've had a lot of great success with
it.

Also note that some of these latest pubstro compromises attach the FTP server
to an existing process.  We had an admin who was convinced that the Veritas
backup agent was hacked because the FTP server was attached to that process.
Very nasty.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: <http://bunnytoaster.ittns.northwestern.edu/julian/pgppubkey.html>

iQA/AwUBQNiX0w5UB5zJHgFjEQK3rQCg/mwYgwX09eDFtf/Ha6iygcfxJrUAn3FU
ZNYkZNJqoyeF6BlIQnxTt+sT
=FNv7
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                                 <mailto:kohster at northwestern.edu>
Network Engineer                                           <phone:847-467-5780>
Telecommunications and Network Services                 Northwestern University
PGP Public Key:<http://bunnytoaster.nsg.northwestern.edu/julian/pgppubkey.html>



More information about the unisog mailing list