Educause Security Discussion mailing list archives
Re: Rogue FTP Servers
From: Geoff <leboldug () POST QUEENSU CA>
Date: Tue, 2 Nov 2004 15:35:32 -0500
Daniel Adinolfi wrote:
On Nov 02, 2004, at 13:44, Elliott Franklin wrote:We are experiencing a small number of compromised machines running FTP servers on various non-standard ports. The most recent port used was 6366
We are going through something similar right now, perhaps 60 computers, though numbers are rising :( Windows 2k, XP, and 2003 Server affected. 1840 or 4899/tcp some kind of remote control daemon 6358/tcp FTP server 9865/tcp MS Telnetd FTP Banner 220 Rooted Moron Version 1.00 4 WinSock ready... [...]
systems. Recently, we have found that the latest variants of bots are running HackDefender (or something similar) to hide malware and files from the UI, even when running in Safe Mode.
Yes, HackDefender here as C:\WINNT\Config\isplogger.sys Also seeing cleanlogs.exe. -- Geoff LeBoldus Information Technology Services Systems Programmer ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Rogue FTP Servers, (continued)
- Re: Rogue FTP Servers John Bambenek (Nov 02)
- Re: Rogue FTP Servers Daniel Adinolfi (Nov 02)
- Re: Rogue FTP Servers Mike Iglesias (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Jordan Wiens (Nov 02)
- Re: Rogue FTP Servers Elliott Franklin (Nov 02)
- Re: Rogue FTP Servers Justin Azoff (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)
- Re: Rogue FTP Servers Schmidt, Eric W (Nov 02)
- Re: Rogue FTP Servers James H Moore (Nov 02)
- Re: Rogue FTP Servers RLVaughn (Nov 02)
- Re: Rogue FTP Servers Mark Wilson (Nov 03)
- Re: Rogue FTP Servers Jason Richardson (Nov 04)