[unisog] Hidden Ftp erver

Wells, Cary cary.wells at ualberta.ca
Thu Jun 24 14:42:49 GMT 2004


Well it is a rootkit.  I found it by using filemon. Nothing else could find
it. The application is hidden but is called MSIintskmngr.exe and the ini is
mspaintfixed.tmp.  It mus be hooked into explorer.exe so the machine has to
be scrapped and rebuilt. Pain in the ass cause it's my main server but it's
gotta be done.  Thanks to all that helped. 

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of PaulFM
Sent: Thursday, June 24, 2004 7:24 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Hidden Ftp erver

As root kits for Windows are so common, I would suggest nuking ANY machine
that becomes infected with a virus or otherwise compromised (you can save
all 
the important data files first).   The likelihood that a root-kit was 
installed with the virus is just too high to take chances.


Schumann, Alex wrote:
> Am I understanding correctly that your goal is to find the ftp server
> and kill it, thus 'cleaning' the machine and putting it back into
> production?
> 
> Root kits, long common in the world of unix, have become just as common
> now in the microsoft domain. Once your machine has been compromised by
> someone, you _CANNOT_ guarantee it is clean again short of doing a byte
> by byte drive comparison with a previous image. You especially cannot
> trust anything installed and running on the tainted OS. Once the kernel
> has been compromised it can be told to trick any program you run, hide
> any files or processes, etc. Nothing is safe because anything you do on
> the machine is subject to the operating system, which you cannot trust.
> 
> I encourage you to find the exe for curiosity sake, but be sure to fdisk
> that box and re-install before putting it back into production. There
> are many very small, very subtil ways for an attacker to leave himself a
> path back in otherwise. And of course, don't forget to change all the
> passwords..
> 
> http://www.securityfocus.com/news/2879
> 
> 
>        Alex Schumann              
>                                   
>      I.S. Developer/Administrator   ZZZzz    |\      _,,,---,,_
>      -Housing & Dining Services          z   /,`.-'`'    -.  ;-;;,_.
>      -Residential Network                 zz|,4-  ) )-,_. ,\ (  `'-'
>      Oregon State University               '---''(_/--'  `-'\_) 
>      http://uhds.oregonstate.edu  
>      http://uhds.oregonstate.edu/resnet
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
> Sent: Tuesday, June 22, 2004 4:20 PM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] Hidden Ftp erver
> 
> 
> Yesterday we became aware of a hidden ftp server on our w2k server.
> It's from the co-fusion group and is running on port 9889.  This machine
> is fully patched and has SAV that is updated every 2 hours so I can't
> figure out how it got there but that's not the problem.  The problem is
> I can't find the executable that is running it.  I found the login
> message that was in the recycler directory but scans from the cleaner,
> symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
> netstat -a and I can see it but if I use FPORT or APORT it doesn't show
> up although telnetting to it shows it's alive.  I tried psexec to see
> what was runnin and stopped everything imaginable and it still didn't
> die.  Stopped services running, I stopped processes and this thing keeps
> going.  If anyone knows of a way to find what is running it pleas let me
> know.
> 
> Thanx 
> Cary Wells
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort               Email: paulfm at me.umn.edu
- SysAdmin -                   (Information Technology Professional)
Mechanical Engineering         Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list