Educause Security Discussion mailing list archives
Re: Rogue FTP Servers
From: Daniel Adinolfi <dra1 () CORNELL EDU>
Date: Tue, 2 Nov 2004 14:09:13 -0500
On Nov 02, 2004, at 13:44, Elliott Franklin wrote:
We are experiencing a small number of compromised machines running FTP servers on various non-standard ports. The most recent port used was 6366 and we have located this on 30 machines. I can't find anything on any of the major virus sites to help us understand how this is occurring. Anyone else experiencing something similar?
Greetings, We have been seeing this for the last year and half or so. Various viruses/trojans/worms/bots run rogue FTP servers on compromised systems. Recently, we have found that the latest variants of bots are running HackDefender (or something similar) to hide malware and files from the UI, even when running in Safe Mode. Booting the compromised system off of clean media, such as a Knoppix or WindowsPE CD, will allow you to locate the hidden files and identify them with antivirus software. Good luck. -Dan _________________ Daniel Adinolfi, CISSP Senior Security Engineer, IT Security Office Cornell University - Office of Information Technologies email: dra1 () cornell edu phone: 607-255-7657 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Rogue FTP Servers Elliott Franklin (Nov 02)
- <Possible follow-ups>
- Re: Rogue FTP Servers John Bambenek (Nov 02)
- Re: Rogue FTP Servers Daniel Adinolfi (Nov 02)
- Re: Rogue FTP Servers Mike Iglesias (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Jordan Wiens (Nov 02)
- Re: Rogue FTP Servers Elliott Franklin (Nov 02)
- Re: Rogue FTP Servers Justin Azoff (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
(Thread continues...)