Re: Port 1975 rogue service

From: Christopher E. Cramer (chris.cramerat_private)
Date: Thu Oct 31 2002 - 14:00:28 PST

Previous message: H C: "Re: Port 1975 rogue service"
In reply to: WIlliam Kintz: "Port 1975 rogue service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's an FTP server running on a odd port.  Most likely the machine was 
cracked via some other mechanism (MS-SQL, poor passwords, IIS, etc) and 
had the FTP server installed in order to distribute copyrighted movies, 
music, etc.

-chris

--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  CELL: 919-210-0528
PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp

On 31 Oct 2002, WIlliam Kintz wrote:

> 
> 
> I have discovered a rogue service of some sort running
> on Port 1975 on one of my Win2000 boxes. Connecting to
> this port via a telnet gives me the below output.
> Anyone have any idea what this is?
> 
> TIA,
> 
> William J Kintz, CISSP, CCNA
> 
> <begin screen capture>
> 
> 220-A Fire_Fly_808 Production
> 220-
> 220-
> 220-
> 220-     
> Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_
> ,Аё&#9617;`&#9617;ёА
> 220-
> 220-             [ server time is 15:35:37  ]
> 220-             [ server date is Thursday 31 October,
> 2002  ]
> 220-             [ you are connecting from: XX.XX.XX.XX  ]
> 220-
> 220-     
> Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_
> ,Аё&#9617;`&#9617;ёА
> 220-
> 220-             [ server stats  ]
> 220-             [ pubstro uptime: 4 Days, 13 Hours, 4
> Mins  ]
> 220-             [ leechers 0ver the last 24 hours: 1699  ]
> 220-             [ leechers logged in: 1783  ]
> 220-             [ current leechers: 2  ]
> 220-             [ kb leeched: 11550405 kb/s  ]
> 220-             [ kb filled: 4438567 kb/s  ]
> 220-             [ hdd freespace: 768.62 kb  ]
> 220-             [ Average Bandwith used: 40.719  ]
> 220-             [ Current Bandwith in use: 16.500  ]
> 220-
> 220      
> Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;_&#9557;,Аё&#9617;`&#9617;ёА,&#9557;&#9557;
> ,Аё&#9617;`&#9617;ёА
> 
> 
> 
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Previous message: H C: "Re: Port 1975 rogue service"
In reply to: WIlliam Kintz: "Port 1975 rogue service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 31 2002 - 18:02:33 PST