Educause Security Discussion mailing list archives
Re: Rogue FTP Servers
From: Brian Eckman <eckman () UMN EDU>
Date: Tue, 2 Nov 2004 15:18:49 -0600
Elliott Franklin wrote:
We are experiencing a small number of compromised machines running FTP servers on various non-standard ports. The most recent port used was 6366 and we have located this on 30 machines. I can't find anything on any of the major virus sites to help us understand how this is occurring. Anyone else experiencing something similar?
See my response to the OP in http://seclists.org/lists/incidents/2004/Aug/0039.html for details on something similar to what I expect happened to you. It has probably happened to most if not all of the Universities on this list by now. A short summary: Someone probably has a list of usernames and passwords for administrative accounts on a bunch of Windows machines on your network. One or more of your compromised machines might still hold a copy of the list(s). <related> While the exact techniques shown in the following paper aren't as common anymore (I don't see firedaemon or iroffer often), this is still, IMO, required reading for any University security team: "XDCC – An .EDU Admin’s Nightmare" http://www.cs.rochester.edu/~bukys/host/tonikgin/EduHacking.html </related> Good luck, Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Rogue FTP Servers, (continued)
- Re: Rogue FTP Servers Daniel Adinolfi (Nov 02)
- Re: Rogue FTP Servers Mike Iglesias (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Jordan Wiens (Nov 02)
- Re: Rogue FTP Servers Elliott Franklin (Nov 02)
- Re: Rogue FTP Servers Justin Azoff (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)
- Re: Rogue FTP Servers Schmidt, Eric W (Nov 02)
- Re: Rogue FTP Servers James H Moore (Nov 02)
- Re: Rogue FTP Servers RLVaughn (Nov 02)
- Re: Rogue FTP Servers Mark Wilson (Nov 03)
- Re: Rogue FTP Servers Jason Richardson (Nov 04)