[unisog] Hidden Ftp erver

Jon Mitchiner jon.mitchiner at gallaudet.edu
Tue Jun 22 21:39:24 GMT 2004

Try running Process Explorer from sysinternals -- 

This probably can find the process for you..


Wells, Cary wrote:

>Yesterday we became aware of a hidden ftp server on our w2k server.  It's
>from the co-fusion group and is running on port 9889.  This machine is fully
>patched and has SAV that is updated every 2 hours so I can't figure out how
>it got there but that's not the problem.  The problem is I can't find the
>executable that is running it.  I found the login message that was in the
>recycler directory but scans from the cleaner, symantec,pstpatrol have
>turned up nothing out of the ordinary.  I do a netstat -a and I can see it
>but if I use FPORT or APORT it doesn't show up although telnetting to it
>shows it's alive.  I tried psexec to see what was runnin and stopped
>everything imaginable and it still didn't die.  Stopped services running, I
>stopped processes and this thing keeps going.  If anyone knows of a way to
>find what is running it pleas let me know.
>Cary Wells
>unisog mailing list
>unisog at lists.sans.org

More information about the unisog mailing list