Re: Rogue FTP Servers

[Geoff <leboldug () POST QUEENSU CA>]

Daniel Adinolfi wrote:
> On Nov 02, 2004, at 13:44, Elliott Franklin wrote:
>
> > We are experiencing a small number of compromised machines running FTP
> > servers on various non-standard ports.  The most recent port used was
> > 6366

We are going through something similar right now, perhaps 60 computers,
 though numbers are rising :(  Windows 2k, XP, and 2003 Server affected.

1840 or 4899/tcp some kind of remote control daemon
6358/tcp FTP server
9865/tcp MS Telnetd

FTP Banner
220 Rooted Moron Version 1.00 4 WinSock ready...

[...]
> systems.  Recently, we have found that the latest variants of bots are
> running HackDefender (or something similar) to hide malware and files
> from the UI, even when running in Safe Mode.

Yes, HackDefender here as C:\WINNT\Config\isplogger.sys
Also seeing cleanlogs.exe.


--
Geoff LeBoldus                     Information Technology Services
Systems Programmer

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.