[unisog] Hidden Ftp erver
sl8c at unix.mail.virginia.edu
Wed Jun 23 14:44:15 GMT 2004
netstat -o is an option with XP Pro and 2003 but I don't think it's
available in 2k server.
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Gary Dobbins
Sent: Tuesday, June 22, 2004 5:46 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Hidden Ftp erver
This will reveal the PID of the process owning each listening socket.
Take the PID, look in Task Manager, and....there's your process.
A tool like ProcViewer from sysinternals.com is an easy way to see
what files/handles a process has open. You may want to do this before
killing the FTP-serving proc - might be a helpful part of tracking
down its effects on your filesystem.
Wells, Cary wrote:
> Yesterday we became aware of a hidden ftp server on our w2k server.
> It's from the co-fusion group and is running on port 9889. This
> machine is fully patched and has SAV that is updated every 2 hours so
> I can't figure out how it got there but that's not the problem. The
> problem is I can't find the executable that is running it. I found
> the login message that was in the recycler directory but scans from
> the cleaner, symantec,pstpatrol have turned up nothing out of the
> ordinary. I do a netstat -a and I can see it but if I use FPORT or
> APORT it doesn't show up although telnetting to it shows it's alive.
> I tried psexec to see what was runnin and stopped everything
> imaginable and it still didn't die. Stopped services running, I
> stopped processes and this thing keeps going. If anyone knows of a
> way to find what is running it pleas let me know.
> Cary Wells
> unisog mailing list
> unisog at lists.sans.org
Gary Dobbins, CISSP -- Director, Information Security
University of Notre Dame, Office of Information Technologies
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
More information about the unisog