[unisog] Hidden Ftp erver

Brian St Denis Bstdenis at csustan.edu
Thu Jun 24 14:33:53 GMT 2004


Some information so far:

I found a log file of a machine exhibiting these characteristics yesterday.
It did an FTP to 141.157.136.22 (using an anonymous login and password) and
retrieved the following 12 files and placed them in the C:\WINNT\system32
folder.  

Wsrv.exe
Cmds2 <-- ftp comands
Reboot.exe
Msnprn.vbs
Iasrap.exe
Iosub.vxd <-- puebstro ftp banner
Fport.exe
Firedaemon.exe <-- install/run win32 applications/files 
Service.exe 
Kill.exe 
Run2.bat <-- could not find on machine 
System.exe <-- could not find on machine

There were also a few malicious files in a c:\temp\system volume folder.

The IP Address goes to Two Way Radio in Cumberland, Maryland.

Another machine I had found was done differently.  I found a log file with
IP Addresses that were scanned from our entire Class B network with TCP port
135 open.  The two suspicious files that I found dealing with this were
wtb.exe (Exploit.Win32.WebDav.n) and loadqmt.exe (Backdoor.Winshell.50).
All of these machines are supposedly fully patched with updated McAfee or
Norton virus definitions.  Kaspersky Labs was able to identify the last two
files. 

Anyways, I will be analyzing the files more today.  I will pass on any
useful information.


Brian St. Denis
California State University Stanislaus



-----Original Message-----
From: Wells, Cary [mailto:cary.wells at ualberta.ca] 
Sent: Tuesday, June 22, 2004 2:20 PM
To: 'UNIversity Security Operations Group'
Subject: [unisog] Hidden Ftp erver


Yesterday we became aware of a hidden ftp server on our w2k server.  It's
from the co-fusion group and is running on port 9889.  This machine is fully
patched and has SAV that is updated every 2 hours so I can't figure out how
it got there but that's not the problem.  The problem is I can't find the
executable that is running it.  I found the login message that was in the
recycler directory but scans from the cleaner, symantec,pstpatrol have
turned up nothing out of the ordinary.  I do a netstat -a and I can see it
but if I use FPORT or APORT it doesn't show up although telnetting to it
shows it's alive.  I tried psexec to see what was runnin and stopped
everything imaginable and it still didn't die.  Stopped services running, I
stopped processes and this thing keeps going.  If anyone knows of a way to
find what is running it pleas let me know.

Thanx 
Cary Wells
_______________________________________________
unisog mailing list
unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list