Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rogue FTP Servers

From: Brian Eckman <eckman () UMN EDU>
Date: Tue, 2 Nov 2004 15:18:49 -0600
Elliott Franklin wrote:


We are experiencing a small number of compromised machines running FTP
servers on various non-standard ports.  The most recent port used was 6366
and we have located this on 30 machines.  I can't find anything on any of
the major virus sites to help us understand how this is occurring.  Anyone
else experiencing something similar?


See my response to the OP in
http://seclists.org/lists/incidents/2004/Aug/0039.html for details on
something similar to what I expect happened to you. It has probably
happened to most if not all of the Universities on this list by now.

A short summary: Someone probably has a list of usernames and passwords for
administrative accounts on a bunch of Windows machines on your network. One
or more of your compromised machines might still hold a copy of the list(s).

<related>
While the exact techniques shown in the following paper aren't as common
anymore (I don't see firedaemon or iroffer often), this is still, IMO,
required reading for any University security team:

"XDCC – An .EDU Admin’s Nightmare"
http://www.cs.rochester.edu/~bukys/host/tonikgin/EduHacking.html
</related>

Good luck,
Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: