Educause Security Discussion mailing list archives

Re: Rogue FTP Servers

From: Mike Iglesias <iglesias () DRACO ACS UCI EDU>
Date: Tue, 2 Nov 2004 11:10:49 -0800

We are experiencing a small number of compromised machines running FTP
servers on various non-standard ports.  The most recent port used was 6366
and we have located this on 30 machines.  I can't find anything on any of
the major virus sites to help us understand how this is occurring.  Anyone
else experiencing something similar?


What we usually see is that a system gets infected with one of the worms
that leaves a backdoor open, and someone uses the backdoor to install
the ftp site.  At some point later on, they use it to distribute
warez, like hacked games, licensed software, movies, and music.


Mike Iglesias                          Email:       iglesias () draco acs uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Rogue FTP Servers Elliott Franklin (Nov 02)
- <Possible follow-ups>
- Re: Rogue FTP Servers John Bambenek (Nov 02)
- Re: Rogue FTP Servers Daniel Adinolfi (Nov 02)
- Re: Rogue FTP Servers Mike Iglesias (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Jordan Wiens (Nov 02)
- Re: Rogue FTP Servers Elliott Franklin (Nov 02)
- Re: Rogue FTP Servers Justin Azoff (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)

(Thread continues...)