Pubstro rash

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 03/17/05

Next message: David Gillett: "RE: Pubstro rash"

Previous message: Nick FitzGerald: "Re: strange software > winsupdater.exe"
In reply to: Justin: "Re: strange software > winsupdater.exe"
Next in thread: David Gillett: "RE: Pubstro rash"
Reply: Mark Coleman: "Re: Pubstro rash"
Reply: Steve Drees: "RE: Pubstro rash"
Reply: Alexandre Skyrme: "RE: Pubstro rash"
Maybe reply: k levinson: "RE: Pubstro rash"
Maybe reply: David LeBlanc: "RE: Pubstro rash"
Maybe reply: Joshua Berry: "RE: Pubstro rash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Wed, 16 Mar 2005 17:58:53 -0800

A few times in the past, someone has managed to break
into one or another of our servers and set up an FTP server
("pubstro") on an unused high port. I'm facing something
similar at the moment, but there are some distinct differences:

1. The compromised hosts are workstations, not servers.
I'm hoping our field techs will be able to identify a
common OS/SP level amongst the compromised machines. No
servers appear to be affected.

2. There have been 14 of them in less than 5 days. OUCH.

3. Instead of a random high port, the installed FTP server
listens on port 53. Which I can't block, because DNS may
need to use it, right?

4. The FTP banners all claim to be the work of "Droppunx".

5. At this point, I don't know how the machines are getting
compromised initially. I'd appreciate if anyone else is seeing
this pattern and has some insight they'd care to share.

David Gillett

Next message: David Gillett: "RE: Pubstro rash"

Previous message: Nick FitzGerald: "Re: strange software > winsupdater.exe"
In reply to: Justin: "Re: strange software > winsupdater.exe"
Next in thread: David Gillett: "RE: Pubstro rash"
Reply: Mark Coleman: "Re: Pubstro rash"
Reply: Steve Drees: "RE: Pubstro rash"
Reply: Alexandre Skyrme: "RE: Pubstro rash"
Maybe reply: k levinson: "RE: Pubstro rash"
Maybe reply: David LeBlanc: "RE: Pubstro rash"
Maybe reply: Joshua Berry: "RE: Pubstro rash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: videos
... Most email servers allow only 1mb of attachments. ... Burn it to a DVD and snail-mail the DVD. ... Upload the file to a webserver or ftp server and let the recipient get it ...
(microsoft.public.windowsxp.video)
Re: Odd identd behavior
... This looks like the output from an FTP server. ... On Thu, 10 Nov 2005, Mike Owen wrote: ... > string from a few servers: ... > Looks to me like this group has been compromising mail servers, ...
(Incidents)
Norton Personal Firewall blocks ports (FTP-Server, HTTP-Server)
... I have Norton Personal Firewall 2002 and Windows 2000 ... I have on my PC the servers Apache HTTP-Server and G6 FTP Server ...
(comp.security.firewalls)
RE: Pubstro rash
... The compromised hosts are workstations, not servers. ... > common OS/SP level amongst the compromised machines. ... Instead of a random high port, ...
(Incidents)
Proxy+ Trojan
... Someone installed Proxy+ on one of our servers (Win2K/IIS5) and left it open ... on a high port for spammers. ...
(Security-Basics)