[unisog] Hidden Ftp erver

Harris, Michael C. HarrisMC at health.missouri.edu
Tue Jun 22 22:00:19 GMT 2004

We found the same symptoms you describe, but also outbound port 445

Newer NAV definitions after 6/20 rev 9 or 6/21 detected Korgo.P
It was not detected by earlier definition sets at all and was a randomly
named .exe

The process id was very low (like 4) and was not detectable with the
process monitors people are recommending

I got the process id from Fport detecting the outbound scanning, but
could not kill the process remove it.
When disconnected from the network Fport did not see the process either.
But when connected and scanning to replicate 10 threads of a low
numbered unnamed process were present.


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
Sent: Tuesday, June 22, 2004 4:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver

Yesterday we became aware of a hidden ftp server on our w2k server.
It's from the co-fusion group and is running on port 9889.  This machine
is fully patched and has SAV that is updated every 2 hours so I can't
figure out how it got there but that's not the problem.  The problem is
I can't find the executable that is running it.  I found the login
message that was in the recycler directory but scans from the cleaner,
symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
netstat -a and I can see it but if I use FPORT or APORT it doesn't show
up although telnetting to it shows it's alive.  I tried psexec to see
what was runnin and stopped everything imaginable and it still didn't
die.  Stopped services running, I stopped processes and this thing keeps
going.  If anyone knows of a way to find what is running it pleas let me

Cary Wells
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list