A few times in the past, someone has managed to break
into one or another of our servers and set up an FTP server
("pubstro") on an unused high port. I'm facing something
similar at the moment, but there are some distinct differences:
1. The compromised hosts are workstations, not servers.
I'm hoping our field techs will be able to identify a
common OS/SP level amongst the compromised machines. No
servers appear to be affected.
2. There have been 14 of them in less than 5 days. OUCH.
3. Instead of a random high port, the installed FTP server
listens on port 53. Which I can't block, because DNS may
need to use it, right?
4. The FTP banners all claim to be the work of "Droppunx".
5. At this point, I don't know how the machines are getting
compromised initially. I'd appreciate if anyone else is seeing
this pattern and has some insight they'd care to share.
David Gillett
Received on Mar 17 2005
Intro
