[unisog] Hidden Ftp erver

PaulFM paulfm at me.umn.edu
Thu Jun 24 13:24:29 GMT 2004


As root kits for Windows are so common, I would suggest nuking ANY machine 
that becomes infected with a virus or otherwise compromised (you can save all 
the important data files first).   The likelihood that a root-kit was 
installed with the virus is just too high to take chances.


Schumann, Alex wrote:
> Am I understanding correctly that your goal is to find the ftp server
> and kill it, thus 'cleaning' the machine and putting it back into
> production?
> 
> Root kits, long common in the world of unix, have become just as common
> now in the microsoft domain. Once your machine has been compromised by
> someone, you _CANNOT_ guarantee it is clean again short of doing a byte
> by byte drive comparison with a previous image. You especially cannot
> trust anything installed and running on the tainted OS. Once the kernel
> has been compromised it can be told to trick any program you run, hide
> any files or processes, etc. Nothing is safe because anything you do on
> the machine is subject to the operating system, which you cannot trust.
> 
> I encourage you to find the exe for curiosity sake, but be sure to fdisk
> that box and re-install before putting it back into production. There
> are many very small, very subtil ways for an attacker to leave himself a
> path back in otherwise. And of course, don't forget to change all the
> passwords..
> 
> http://www.securityfocus.com/news/2879
> 
> 
>        Alex Schumann              
>                                   
>      I.S. Developer/Administrator   ZZZzz    |\      _,,,---,,_
>      -Housing & Dining Services          z   /,`.-'`'    -.  ;-;;,_.
>      -Residential Network                 zz|,4-  ) )-,_. ,\ (  `'-'
>      Oregon State University               '---''(_/--'  `-'\_) 
>      http://uhds.oregonstate.edu  
>      http://uhds.oregonstate.edu/resnet
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
> Sent: Tuesday, June 22, 2004 4:20 PM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] Hidden Ftp erver
> 
> 
> Yesterday we became aware of a hidden ftp server on our w2k server.
> It's from the co-fusion group and is running on port 9889.  This machine
> is fully patched and has SAV that is updated every 2 hours so I can't
> figure out how it got there but that's not the problem.  The problem is
> I can't find the executable that is running it.  I found the login
> message that was in the recycler directory but scans from the cleaner,
> symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
> netstat -a and I can see it but if I use FPORT or APORT it doesn't show
> up although telnetting to it shows it's alive.  I tried psexec to see
> what was runnin and stopped everything imaginable and it still didn't
> die.  Stopped services running, I stopped processes and this thing keeps
> going.  If anyone knows of a way to find what is running it pleas let me
> know.
> 
> Thanx 
> Cary Wells
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort               Email: paulfm at me.umn.edu
- SysAdmin -                   (Information Technology Professional)
Mechanical Engineering         Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------



More information about the unisog mailing list