[unisog] Hidden Ftp erver

Jeremy Pollack JPollack at sb.business.uconn.edu
Tue Jun 22 22:06:08 GMT 2004

We recently had a couple servers that were hit in a similar way to the
one you described. Patched, updated, etc. But somewhere somehow someone
got in and installed a rootkit. Whether it was a zeroday exploit or a
delay in a certain patch, we did not discover due to lack of resources.
In our case, it was the Hacker Defender rootkit, recompiled with just
enough changes so it was invisible to Symantec AV.

Part of what this rootkit did was make certain ports, processes, file
names and services invisible to the OS. It doesn't matter what tool you
run, if you run it locally it wouldn't let you see them. Running nmap
-sT -v -v -p 1-65535 ip.address.of.box on a remote machine would show
the ports that were being used. In our case the data was in the
x:\system volume information folder.

Here is the thread of my post over on the Incidents mailing list at
Security Focus prompted by this:
Subsequent to that thread there was an excellent thread on incident
response in the same mailing list you could check out as well (probably
more for next time...) here:

The best way to see what is there on the hdd is to boot the machine off
a Linux or Windows PE boot disk. In my case I had problems due to the
SCSI controllers although I was able to make a custom NTFS4DOS boot CD
w/ the right drivers. You can try BartPE (Windows PE customized builder)
or any number of the free Linux boot CDROMS such as Knoppix, Knoppix STD
(Security Tools distro) or Fire+Ice. 

In short, our final solution was to rebuild the servers. Ugly but

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
Sent: Tuesday, June 22, 2004 5:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver

Yesterday we became aware of a hidden ftp server on our w2k server.
It's from the co-fusion group and is running on port 9889.  This machine
is fully patched and has SAV that is updated every 2 hours so I can't
figure out how it got there but that's not the problem.  The problem is
I can't find the executable that is running it.  I found the login
message that was in the recycler directory but scans from the cleaner,
symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
netstat -a and I can see it but if I use FPORT or APORT it doesn't show
up although telnetting to it shows it's alive.  I tried psexec to see
what was runnin and stopped everything imaginable and it still didn't
die.  Stopped services running, I stopped processes and this thing keeps
going.  If anyone knows of a way to find what is running it pleas let me

Cary Wells
unisog mailing list
unisog at lists.sans.org
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.

More information about the unisog mailing list