[unisog] Hidden Ftp erver - what have you found Cary?

Harris, Michael C. HarrisMC at health.missouri.edu
Thu Jun 24 13:29:06 GMT 2004

Two days further down the road what have you found? 
Or have you been forced to rebuilt from scratch/backups with out a full

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
Sent: Tuesday, June 22, 2004 4:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver

Yesterday we became aware of a hidden ftp server on our w2k server.
It's from the co-fusion group and is running on port 9889.  This machine
is fully patched and has SAV that is updated every 2 hours so I can't
figure out how it got there but that's not the problem.  The problem is
I can't find the executable that is running it.  I found the login
message that was in the recycler directory but scans from the cleaner,
symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
netstat -a and I can see it but if I use FPORT or APORT it doesn't show
up although telnetting to it shows it's alive.  I tried psexec to see
what was runnin and stopped everything imaginable and it still didn't
die.  Stopped services running, I stopped processes and this thing keeps
going.  If anyone knows of a way to find what is running it pleas let me

Cary Wells
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list