[unisog] Hidden Ftp erver

Daniel Medina medina at columbia.edu
Tue Jun 22 21:38:29 GMT 2004


 I like SecCheck rom myNetWatchman

    http://www.mynetwatchman.com/tools/sc/

It gives the 'lsof'-style output you can get with Unix tools, but it's 
by no means simple to interpret the output.  You can check out the case 
studies.

On Tue, Jun 22, 2004 at 03:20:26PM -0600, Wells, Cary wrote:
> Yesterday we became aware of a hidden ftp server on our w2k server.  It's
> from the co-fusion group and is running on port 9889.  This machine is fully
> patched and has SAV that is updated every 2 hours so I can't figure out how
> it got there but that's not the problem.  The problem is I can't find the
> executable that is running it.  I found the login message that was in the
> recycler directory but scans from the cleaner, symantec,pstpatrol have
> turned up nothing out of the ordinary.  I do a netstat -a and I can see it
> but if I use FPORT or APORT it doesn't show up although telnetting to it
> shows it's alive.  I tried psexec to see what was runnin and stopped
> everything imaginable and it still didn't die.  Stopped services running, I
> stopped processes and this thing keeps going.  If anyone knows of a way to
> find what is running it pleas let me know.
> 
> Thanx 
> Cary Wells

-- 
Daniel Medina



More information about the unisog mailing list