[unisog] Hidden Ftp erver

Steven Lee sl8c at unix.mail.virginia.edu
Wed Jun 23 14:44:15 GMT 2004

netstat -o is an option with XP Pro and 2003 but I don't think it's
available in 2k server.

Steven Lee
IS Engineer
UVA Radiology

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Gary Dobbins
Sent: Tuesday, June 22, 2004 5:46 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Hidden Ftp erver

netstat -ao

This will reveal the PID of the process owning each listening socket.
    Take the PID, look in Task Manager, and....there's your process.

A tool like ProcViewer from sysinternals.com is an easy way to see
what files/handles a process has open.  You may want to do this before
killing the FTP-serving proc - might be a helpful part of tracking
down its effects on your filesystem.

Wells, Cary wrote:

> Yesterday we became aware of a hidden ftp server on our w2k server.
> It's from the co-fusion group and is running on port 9889.  This
> machine is fully patched and has SAV that is updated every 2 hours so
> I can't figure out how it got there but that's not the problem.  The
> problem is I can't find the executable that is running it.  I found
> the login message that was in the recycler directory but scans from
> the cleaner, symantec,pstpatrol have turned up nothing out of the
> ordinary.  I do a netstat -a and I can see it but if I use FPORT or
> APORT it doesn't show up although telnetting to it shows it's alive.
> I tried psexec to see what was runnin and stopped everything
> imaginable and it still didn't die.  Stopped services running, I
> stopped processes and this thing keeps going.  If anyone knows of a
> way to find what is running it pleas let me know.
> Thanx
> Cary Wells
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list