[unisog] Hidden Ftp erver

Sergent, Phil sergent at marshall.edu
Thu Jun 24 13:52:10 GMT 2004


Copyright (c) 1998-2004 Mark Russinovich
Last Updated: May 25, 2004 v8.4


Ever wondered which program has a particular file or directory open? Now
you can find out. Process Explorer shows you information about which
handles and DLLs processes have opened or loaded. 

The Process Explorer display consists of two sub-windows. The top window
always shows a list of the currently active processes, including the
names of their owning accounts, whereas the information displayed in the
bottom window depends on the mode that Process Explorer is in: if it is
in handle mode you'll see the handles that the process selected in the
top window has opened; if Process Explorer is in DLL mode you'll see the
DLLs and memory-mapped files that the process has loaded. Process
Explorer also has a powerful search capability that will quickly show
you which processes have particular handles opened or DLLs loaded. 

The unique capabilities of Process Explorer make it useful for tracking
down DLL-version problems or handle leaks, and provide insight into the
way Windows and applications work.
Phil Sergent                                      MU 
Systems Programmer
Marshall University
Computing Services/Systems Group
Drinko Library 422a
Huntington, WV  25755-5320
304/696-3689 (Desk) 304/696-3601 (FAX)
Email: sergent at marshall.edu
It's not who you are that holds you back, it's who you think you're not.
-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Schumann, Alex
Sent: Wednesday, June 23, 2004 7:18 PM
To: UNIversity Security Operations Group
Subject: RE: [unisog] Hidden Ftp erver

Am I understanding correctly that your goal is to find the ftp server
and kill it, thus 'cleaning' the machine and putting it back into

Root kits, long common in the world of unix, have become just as common
now in the microsoft domain. Once your machine has been compromised by
someone, you _CANNOT_ guarantee it is clean again short of doing a byte
by byte drive comparison with a previous image. You especially cannot
trust anything installed and running on the tainted OS. Once the kernel
has been compromised it can be told to trick any program you run, hide
any files or processes, etc. Nothing is safe because anything you do on
the machine is subject to the operating system, which you cannot trust.

I encourage you to find the exe for curiosity sake, but be sure to fdisk
that box and re-install before putting it back into production. There
are many very small, very subtil ways for an attacker to leave himself a
path back in otherwise. And of course, don't forget to change all the


       Alex Schumann              
     I.S. Developer/Administrator   ZZZzz    |\      _,,,---,,_
     -Housing & Dining Services          z   /,`.-'`'    -.  ;-;;,_.
     -Residential Network                 zz|,4-  ) )-,_. ,\ (  `'-'
     Oregon State University               '---''(_/--'  `-'\_) 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
Sent: Tuesday, June 22, 2004 4:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver

Yesterday we became aware of a hidden ftp server on our w2k server.
It's from the co-fusion group and is running on port 9889.  This machine
is fully patched and has SAV that is updated every 2 hours so I can't
figure out how it got there but that's not the problem.  The problem is
I can't find the executable that is running it.  I found the login
message that was in the recycler directory but scans from the cleaner,
symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
netstat -a and I can see it but if I use FPORT or APORT it doesn't show
up although telnetting to it shows it's alive.  I tried psexec to see
what was runnin and stopped everything imaginable and it still didn't
die.  Stopped services running, I stopped processes and this thing keeps
going.  If anyone knows of a way to find what is running it pleas let me

Cary Wells
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
unisog mailing list
unisog at lists.sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sergent, Phil.vcf
Type: text/x-vcard
Size: 401 bytes
Desc: Sergent, Phil.vcf
Url : http://www.dshield.org/pipermail/unisog/attachments/20040624/44a72371/SergentPhil-0004.vcf

More information about the unisog mailing list