Re: Rogue FTP Servers

[Daniel Adinolfi <dra1 () CORNELL EDU>]

On Nov 02, 2004, at 13:44, Elliott Franklin wrote:

> We are experiencing a small number of compromised machines running FTP
> servers on various non-standard ports.  The most recent port used was
> 6366
> and we have located this on 30 machines.  I can't find anything on any
> of
> the major virus sites to help us understand how this is occurring.
> Anyone
> else experiencing something similar?

Greetings,

We have been seeing this for the last year and half or so.  Various
viruses/trojans/worms/bots run rogue FTP servers on compromised
systems.  Recently, we have found that the latest variants of bots are
running HackDefender (or something similar) to hide malware and files
from the UI, even when running in Safe Mode.  Booting the compromised
system off of clean media, such as a Knoppix or WindowsPE CD, will
allow you to locate the hidden files and identify them with antivirus
software.

Good luck.

-Dan
_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 () cornell edu   phone: 607-255-7657

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.