Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Pubstro rash

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 16 Mar 2005 17:58:53 -0800
  A few times in the past, someone has managed to break
into one or another of our servers and set up an FTP server
("pubstro") on an unused high port.  I'm facing something 
similar at the moment, but there are some distinct differences:

1.  The compromised hosts are workstations, not servers.
I'm hoping our field techs will be able to identify a 
common OS/SP level amongst the compromised machines.  No
servers appear to be affected.

2.  There have been 14 of them in less than 5 days.  OUCH.

3.  Instead of a random high port, the installed FTP server 
listens on port 53.  Which I can't block, because DNS may
need to use it, right?

4.  The FTP banners all claim to be the work of "Droppunx".

5.  At this point, I don't know how the machines are getting 
compromised initially.  I'd appreciate if anyone else is seeing
this pattern and has some insight they'd care to share.

David Gillett
Previous By Date Next
Previous By Thread Next

Current thread: