RE: Pubstro rash

["David Gillett" <gillettdavid () fhda edu>]

  Further detail:  I'm being told that all of the compromised
workstations are running 2KPro or NTW.  So that suggests that
the attackers are getting in through a hole that is fixed in
XP or its service packs.

> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu]
> Sent: Wednesday, March 16, 2005 5:59 PM
> To: 'incidents () securityfocus com'
> Subject: Pubstro rash
>
>
>   A few times in the past, someone has managed to break
> into one or another of our servers and set up an FTP server
> ("pubstro") on an unused high port.  I'm facing something 
> similar at the moment, but there are some distinct differences:
>
> 1.  The compromised hosts are workstations, not servers.
> I'm hoping our field techs will be able to identify a 
> common OS/SP level amongst the compromised machines.  No
> servers appear to be affected.
>
> 2.  There have been 14 of them in less than 5 days.  OUCH.
>
> 3.  Instead of a random high port, the installed FTP server 
> listens on port 53.  Which I can't block, because DNS may
> need to use it, right?
>
> 4.  The FTP banners all claim to be the work of "Droppunx".
>
> 5.  At this point, I don't know how the machines are getting 
> compromised initially.  I'd appreciate if anyone else is seeing
> this pattern and has some insight they'd care to share.
>
> David Gillett