[unisog] Hidden Ftp erver

Schumann, Alex Alex.Schumann at oregonstate.edu
Thu Jun 24 00:17:41 GMT 2004

Am I understanding correctly that your goal is to find the ftp server
and kill it, thus 'cleaning' the machine and putting it back into

Root kits, long common in the world of unix, have become just as common
now in the microsoft domain. Once your machine has been compromised by
someone, you _CANNOT_ guarantee it is clean again short of doing a byte
by byte drive comparison with a previous image. You especially cannot
trust anything installed and running on the tainted OS. Once the kernel
has been compromised it can be told to trick any program you run, hide
any files or processes, etc. Nothing is safe because anything you do on
the machine is subject to the operating system, which you cannot trust.

I encourage you to find the exe for curiosity sake, but be sure to fdisk
that box and re-install before putting it back into production. There
are many very small, very subtil ways for an attacker to leave himself a
path back in otherwise. And of course, don't forget to change all the


       Alex Schumann              
     I.S. Developer/Administrator   ZZZzz    |\      _,,,---,,_
     -Housing & Dining Services          z   /,`.-'`'    -.  ;-;;,_.
     -Residential Network                 zz|,4-  ) )-,_. ,\ (  `'-'
     Oregon State University               '---''(_/--'  `-'\_) 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
Sent: Tuesday, June 22, 2004 4:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver

Yesterday we became aware of a hidden ftp server on our w2k server.
It's from the co-fusion group and is running on port 9889.  This machine
is fully patched and has SAV that is updated every 2 hours so I can't
figure out how it got there but that's not the problem.  The problem is
I can't find the executable that is running it.  I found the login
message that was in the recycler directory but scans from the cleaner,
symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
netstat -a and I can see it but if I use FPORT or APORT it doesn't show
up although telnetting to it shows it's alive.  I tried psexec to see
what was runnin and stopped everything imaginable and it still didn't
die.  Stopped services running, I stopped processes and this thing keeps
going.  If anyone knows of a way to find what is running it pleas let me

Cary Wells
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list