Security Incidents mailing list archives
Re: Port 1975 rogue service
From: "Christopher E. Cramer" <chris.cramer () duke edu>
Date: Thu, 31 Oct 2002 17:00:28 -0500 (EST)
That's an FTP server running on a odd port. Most likely the machine was cracked via some other mechanism (MS-SQL, poor passwords, IIS, etc) and had the FTP server installed in order to distribute copyrighted movies, music, etc. -chris -- Christopher E. Cramer, Ph.D. University Information Technology Security Officer Duke University, Office of Information Technology 253A North Building, Box 90132, Durham, NC 27708-0291 PH: 919-660-7003 FAX: 919-660-7076 CELL: 919-210-0528 PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp On 31 Oct 2002, WIlliam Kintz wrote:
I have discovered a rogue service of some sort running on Port 1975 on one of my Win2000 boxes. Connecting to this port via a telnet gives me the below output. Anyone have any idea what this is? TIA, William J Kintz, CISSP, CCNA <begin screen capture> 220-A Fire_Fly_808 Production 220- 220- 220- 220- °ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_ ,°ñ░`░ñ° 220- 220- [ server time is 15:35:37 ] 220- [ server date is Thursday 31 October, 2002 ] 220- [ you are connecting from: XX.XX.XX.XX ] 220- 220- °ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_ ,°ñ░`░ñ° 220- 220- [ server stats ] 220- [ pubstro uptime: 4 Days, 13 Hours, 4 Mins ] 220- [ leechers 0ver the last 24 hours: 1699 ] 220- [ leechers logged in: 1783 ] 220- [ current leechers: 2 ] 220- [ kb leeched: 11550405 kb/s ] 220- [ kb filled: 4438567 kb/s ] 220- [ hdd freespace: 768.62 kb ] 220- [ Average Bandwith used: 40.719 ] 220- [ Current Bandwith in use: 16.500 ] 220- 220 °ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕_╕,°ñ░`░ñ°,╕╕ ,°ñ░`░ñ° ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Port 1975 rogue service H C (Oct 31)
- <Possible follow-ups>
- Re: Port 1975 rogue service Christopher E. Cramer (Oct 31)
- Fw: Port 1975 rogue service Dean Farrington (Nov 02)
- Re: Port 1975 rogue service Steven M. Christey (Nov 02)
- RE: Port 1975 rogue service Stacy Olivas (Nov 04)
- Re: Port 1975 rogue service H C (Nov 05)