[unisog] Hidden Ftp erver - what have you found Cary?
Harris, Michael C.
HarrisMC at health.missouri.edu
Thu Jun 24 13:29:06 GMT 2004
Two days further down the road what have you found?
Or have you been forced to rebuilt from scratch/backups with out a full
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
Sent: Tuesday, June 22, 2004 4:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver
Yesterday we became aware of a hidden ftp server on our w2k server.
It's from the co-fusion group and is running on port 9889. This machine
is fully patched and has SAV that is updated every 2 hours so I can't
figure out how it got there but that's not the problem. The problem is
I can't find the executable that is running it. I found the login
message that was in the recycler directory but scans from the cleaner,
symantec,pstpatrol have turned up nothing out of the ordinary. I do a
netstat -a and I can see it but if I use FPORT or APORT it doesn't show
up although telnetting to it shows it's alive. I tried psexec to see
what was runnin and stopped everything imaginable and it still didn't
die. Stopped services running, I stopped processes and this thing keeps
going. If anyone knows of a way to find what is running it pleas let me
unisog mailing list
unisog at lists.sans.org
More information about the unisog