[unisog] Hidden Ftp erver

Allen Barrett sabarrett at harding.edu
Thu Jun 24 14:50:48 GMT 2004


Thank you...this will come in very handy.  :)


----- Original Message ----- 
From: "Sergent, Phil" <sergent at marshall.edu>
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
Sent: Thursday, June 24, 2004 8:52 AM
Subject: RE: [unisog] Hidden Ftp erver


>
>
> Excerpt:
>
> Copyright (c) 1998-2004 Mark Russinovich
> Last Updated: May 25, 2004 v8.4
>
>
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>
> Introduction
> Ever wondered which program has a particular file or directory open? Now
> you can find out. Process Explorer shows you information about which
> handles and DLLs processes have opened or loaded.
>
> The Process Explorer display consists of two sub-windows. The top window
> always shows a list of the currently active processes, including the
> names of their owning accounts, whereas the information displayed in the
> bottom window depends on the mode that Process Explorer is in: if it is
> in handle mode you'll see the handles that the process selected in the
> top window has opened; if Process Explorer is in DLL mode you'll see the
> DLLs and memory-mapped files that the process has loaded. Process
> Explorer also has a powerful search capability that will quickly show
> you which processes have particular handles opened or DLLs loaded.
>
> The unique capabilities of Process Explorer make it useful for tracking
> down DLL-version problems or handle leaks, and provide insight into the
> way Windows and applications work.
>
> Phil Sergent                                      MU
> Systems Programmer
> Marshall University
> Computing Services/Systems Group
> Drinko Library 422a
> Huntington, WV  25755-5320
> 304/696-3689 (Desk) 304/696-3601 (FAX)
> Email: sergent at marshall.edu
> It's not who you are that holds you back, it's who you think you're not.
>
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Schumann, Alex
> Sent: Wednesday, June 23, 2004 7:18 PM
> To: UNIversity Security Operations Group
> Subject: RE: [unisog] Hidden Ftp erver
>
> Am I understanding correctly that your goal is to find the ftp server
> and kill it, thus 'cleaning' the machine and putting it back into
> production?
>
> Root kits, long common in the world of unix, have become just as common
> now in the microsoft domain. Once your machine has been compromised by
> someone, you _CANNOT_ guarantee it is clean again short of doing a byte
> by byte drive comparison with a previous image. You especially cannot
> trust anything installed and running on the tainted OS. Once the kernel
> has been compromised it can be told to trick any program you run, hide
> any files or processes, etc. Nothing is safe because anything you do on
> the machine is subject to the operating system, which you cannot trust.
>
> I encourage you to find the exe for curiosity sake, but be sure to fdisk
> that box and re-install before putting it back into production. There
> are many very small, very subtil ways for an attacker to leave himself a
> path back in otherwise. And of course, don't forget to change all the
> passwords..
>
> http://www.securityfocus.com/news/2879
>
>
>        Alex Schumann
>
>      I.S. Developer/Administrator   ZZZzz    |\      _,,,---,,_
>      -Housing & Dining Services          z   /,`.-'`'    -.  ;-;;,_.
>      -Residential Network                 zz|,4-  ) )-,_. ,\ (  `'-'
>      Oregon State University               '---''(_/--'  `-'\_)
>      http://uhds.oregonstate.edu
>      http://uhds.oregonstate.edu/resnet
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Wells, Cary
> Sent: Tuesday, June 22, 2004 4:20 PM
> To: 'UNIversity Security Operations Group'
> Subject: [unisog] Hidden Ftp erver
>
>
> Yesterday we became aware of a hidden ftp server on our w2k server.
> It's from the co-fusion group and is running on port 9889.  This machine
> is fully patched and has SAV that is updated every 2 hours so I can't
> figure out how it got there but that's not the problem.  The problem is
> I can't find the executable that is running it.  I found the login
> message that was in the recycler directory but scans from the cleaner,
> symantec,pstpatrol have turned up nothing out of the ordinary.  I do a
> netstat -a and I can see it but if I use FPORT or APORT it doesn't show
> up although telnetting to it shows it's alive.  I tried psexec to see
> what was runnin and stopped everything imaginable and it still didn't
> die.  Stopped services running, I stopped processes and this thing keeps
> going.  If anyone knows of a way to find what is running it pleas let me
> know.
>
> Thanx
> Cary Wells
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
>
>


----------------------------------------------------------------------------
----


> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>




More information about the unisog mailing list