[unisog] Hidden Ftp erver

Gary Dobbins dobbins at nd.edu
Tue Jun 22 21:45:58 GMT 2004

netstat -ao

This will reveal the PID of the process owning each listening socket. 
    Take the PID, look in Task Manager, and....there's your process.

A tool like ProcViewer from sysinternals.com is an easy way to see 
what files/handles a process has open.  You may want to do this before 
killing the FTP-serving proc - might be a helpful part of tracking 
down its effects on your filesystem.

Wells, Cary wrote:

> Yesterday we became aware of a hidden ftp server on our w2k server.  It's
> from the co-fusion group and is running on port 9889.  This machine is fully
> patched and has SAV that is updated every 2 hours so I can't figure out how
> it got there but that's not the problem.  The problem is I can't find the
> executable that is running it.  I found the login message that was in the
> recycler directory but scans from the cleaner, symantec,pstpatrol have
> turned up nothing out of the ordinary.  I do a netstat -a and I can see it
> but if I use FPORT or APORT it doesn't show up although telnetting to it
> shows it's alive.  I tried psexec to see what was runnin and stopped
> everything imaginable and it still didn't die.  Stopped services running, I
> stopped processes and this thing keeps going.  If anyone knows of a way to
> find what is running it pleas let me know.
> Thanx 
> Cary Wells
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies

More information about the unisog mailing list