Solved

Tons of FTP traffic from my Win2000 server...

Posted on 2004-03-29
10
16,020 Views
Last Modified: 2007-12-19
Greetings all

I have a Win2k server that I think has some kind of hacker FTP script on it.  This Win2k server is our internal DNS, DHCP, payroll, outgoing mail, and Intranet web server.  

The symptoms:  

1. I noticed the network slowing to a crawl
2. Doing a SHOW IP NAT TRANS showed TONS of FTP traffic from that Win2k server that looks like this (with varying internet IP's):

tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32778 82.65.116.206:32778
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32781 82.65.116.206:32781
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32785 82.65.116.206:32785
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32786 82.65.116.206:32786
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32788 82.65.116.206:32788
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32792 82.65.116.206:32792
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32794 82.65.116.206:32794
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32797 82.65.116.206:32797    
...etc.

3. There were many entries in the event viewer that said:
Warning
Source: MSFTPSVC
Event ID: 10
User email@notset.com at host 80.14.20.91 has timed-out after 900 seconds of inactivity

**the email and IP address varied, but this one was most common

The first thing I did was update the Norton Corporate Edition definitions (they were only 1 week old), unplugged it from the network, and ran a full system scan.  Norton found nothing.  So, I plugged it back in, downloaded the latest AdAware reference file, unplugged it, scanned, and only found 4 objects.  I had AdAware remove them.  Unfortuntely, when I plugged the server back in, a few seconds later, tons of FTP traffic spewed forth again.  Also, Windows Updates were downloaded a week or so ago.

So right now, the server is unplugged from the network.   Unfortunately again, I have little experience with access-lists, ours was configured by someone else, but I noticed our incoming access-list is not blocking FTP traffic.  Since this is an internal server only, I [b]added[/b] a couple of lines in the existing inbound access-list on the router that say:

deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp-data    

This has not stopped the traffic problem.  Is the syntax right?  My next thought is to add deny ftp entries on the outbound access list.  If the FTP traffic is originating from an internet source, then blocking the FTP port should've fixed the problem.  If the traffic is coming from the Win2k server, then blocking outbound FTP will only alleviate the symptoms and not cause of the traffic.  

At this point, I wasn't sure who to call...Microsoft, Symantec, or the restaurant next door for lunch lol.  There aren't any network security engineers in this area, so I thought I'd ask you guys for help.  :)

Additional information:  This server sits behind 2 routers.  The KDH router, which connects to the internet and has the ACL's and NAT configured, and the Harb router that's local to the Win2k server.  Normal pings from the Harb router to the main KDH router are around 12ms.  When the FTP traffic was spiking, I was getting 1200 to 2200ms ping times, and not many time outs.

Any help would be GREATLY appreciated!

DB



0
Comment
Question by:DangerBabe
10 Comments
 
LVL 32

Expert Comment

by:shalomc
Comment Utility
Are there any unknown services running on the server?
0
 
LVL 1

Assisted Solution

by:fcisler
fcisler earned 62 total points
Comment Utility
well heres what i would do, if you've allready done any of this excuse me


first:
DISABLE FTP!
make sure that it IS the ftp. If you disable and traffic goes back to normal, proceed

second:
make a new user account with admin rights then disable every other account.
If the traffic goes down to normal, well then we got ourselves a cracked account (it's not to late to mention that guest access should ALWAYS be disabled?)
If traffic is normal with all accounts disabled but this "new" account, then proceed

third:
enable all admin accounts again. Check traffic. Enable all service accounts....check traffic....i think you get the point here, try and narrow down the account they are using

also, go into IIS manager....right click the ftp server and click properties....click "current sessions"

see what account is logging in.
See if you can narrow down whats going on and post it here.
0
 

Author Comment

by:DangerBabe
Comment Utility
Thanks for the replies guys!  Strangely, when I was typing a response here earlier, I noticed my pings return to normal (after I had plugged the server back into the network to see if I could spot any unusual processes), so I've been watching it for awhile.  So far, everything looks back to normal without me having done anything.

@Shalomc
Here's a list of processes that was running while the traffic was heavy....

System Idel Process  
MDaemon.exe
rtvscan.exe
System
CFEngine.exe
explorer.exe
wperl.exe
inetinfo.exe
LSASS.EXE
ntfrs.exe
tcpsvcs.exe
SERVICES.EXE
WINLOGON.EXE
WebAdmin.exe
DNS.EXE
spoolsv.exe
TASKMGR.EXE
CSRSS.EXE
svchost.exe
termsrv.exe
dfssvc.exe
WinMgmt.exe
LLSSRV.EXE
IcePack.exe
svchost.exe
HNDLRSVC.EXE
IAO.EXE
NTVDM.EXE
ismserv.exe
pds.exe
Syslogd_Service
svchost.exe
MSGSYS.EXE
msdtc.exe
NcsTop.exe
mstask.exe
tb2pro.exe
qserver.exe
XFR.EXE
DLLHOST.EXE
ScanExplicit.ex
LOCATOR.EXE
kodakimg.exe
tb2launch.exe
regsvc.exe
lxsupmon.exe
DBNTSRV.EXE
svchost.exe
vptray.exe
defwatch.exe
svchost.exe
SMSS.EXE
TNotify.exe
tb2logon.exe

The tb* entries are TimBukTu, which is not configured to use a modem, the only user account configured to access it remotely is mine, and guest access is disabled.

@fcisler
Oop, I forgot to add in my first message that I tried disabling FTP Publishing Service from the Services listing and also tried stopping the Default FTP site under IIS.  Neither seemed to affect the traffic.  Is there another place to disable FTP?  Also, the Win2000 guest account is disabled.  If the FTP traffic starts back up again, I'll definately check the current sessions under the IIS manager.

0
 

Expert Comment

by:Chris_McMahon
Comment Utility
Do you have any windows xp computers on the network?
0
 

Accepted Solution

by:
browman earned 63 total points
Comment Utility
Could be some kind of trojan, or an FTP server in one of those other processes.

Try running TDIMON from Sysinternals for a few hours, even try making an FTP connection to your machine from elsewhere.  This will show you which processes are responding to which ports.

URL for the software (freeware) is:
http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml

Look for processes that are responding to incoming TCP packets on port 21, and kill them off one by one.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Expert Comment

by:browman
Comment Utility
Just noticed you're running behind NAT... nothing from the outside world should be able to see your Win2K box unless you have a port forward set up to direct all port 21 requests to that machine from the outside world.

What type of router/firewall are you running?
0
 

Author Comment

by:DangerBabe
Comment Utility
@Chris
Yes, we have a mixture of Win98, XP, and about 4 ME machines.  There're about 100 PC's on the network.

@browman
Thanks for the TDIMon link!  It's now installed and has been running since 9:05 US Eastern time on March 31.  So far, there hasn't been a flood of FTP traffic.
Both the main router in the headquarters office (KDH) and the router in the other office local to the 2k server (Harb) are Cisco 2620's.  As far as the firewall settings, we're running access-lists only (as far as I know, since I'm still a n00b with routers and firewalls).  The company hired a guy a couple years ago to configure the routers.  My first thought was how someone could have gotten in to see the win2k box behind NAT since I don't have any public IP's set up on it either.  I certainly didn't setup any port fowarding.  Is port forwarding on a 2620 setup in the access-lists?  Speaking of public IP's and port forwarding, this server is running a small internal website and has been for over a year.  As of a month or so ago, there's a new person who has taken over maintaing the website, and she's using an FTP software to upload her site changes instead of FrontPage like the previous person.  Could she have done something on her end to open up the internal site to the public?

0
 

Expert Comment

by:browman
Comment Utility
I can't speak for the particular router that you've got, but if you're running a web server and FTP server from inside a NAT subnet, then yes, you'll have port forwarding dealing with that side of things, probably on both ports 80 and 21 by the sound of things.

Best practice is to use a separate IP address and a separate bridged subnet (called a DMZ) for this kind of approach.  That way, if anyone does compromise your public box, they can't then use it to get into your network.

Whenever you have an active public FTP server running, you're always going to get some opportunist hacking attempts.  It sounds like you've got onto someone's "must crack" list.  As long as you aren't allowing anonymous access, and you've got reliable and secure FTP server software, that's about the best you can do, although you could theoretically limit the IP ranges that can connect via FTP (depending on the router).

0
 

Author Comment

by:DangerBabe
Comment Utility
@browman
Hmmm....They should only be ftp'ing to the intranet site from [b]inside[/b] the network.  This box isn't supposed to be accessable to the public, so there wouldn't be a point of sticking it in a DMZ.

In other words, this Win2k box is only supposed to be providing DNS, DHCP, and hosting internal web sites, and those sites should only be able to be modified and viewed internally.

But on another note, since my first post was how to stop the flood of traffic to and/or from the Win2k box, and mysteriously, there has been no more sign of that traffic since the 29th, and I'm leaving this job and relocating to another city in about 2 weeks, I suppose I should go ahead and award points?  Since this is my first ever topic, I'm not sure how to award points since the problem ended on it's own.  I was thinking of splitting the points between fcisler and browman's tdimon reply.
0
 
LVL 1

Expert Comment

by:Mad_Lion
Comment Utility


Lets start at the basics (sorry if I'm getting into this late in the game). Your behind NAT.

First things first, disable access to your box through FTP ports. Cut and dry. If there is no mapping to that box, they wont get to it on those ports.

If you dont need FTP services, Deny it to everyone outside your network. Half your problem is solved.

Next, have a look at your traffic with the utilities from above and see where your traffic is coming from if its even there anymore at all.

The DMZ. Although it DOES protect your network from someone who takes over your box, it DOES expose your box to the world unless you are savvy enough to configure your rules properly. May I suggest a NAT'ed subnet for your public servers, and another subnet for your corporate network?
Well, you choose your poison on that one.

I had a quick look at what services you have running on your server.
The attention getters there are:

tb2pro.exe (are you running remote administration tool Timbuktu(sp) ? dangerous to have this internet facing easy to hack.)
WebAdmin.exe  (how many remote administration tools do you need anyway?)
termsrv.exe (Terminal services?, this is getting ugly)
xfr.exe (Intel File Transfer? This server is managing clients? is this a web server or what?)

ok, enough of that. It appears to me that this server is either one, WAY over tasked. Not saying that its being over worked, but its doing a bit too much.
And it appears that its performing both public services and private services. Its a good idea to keep these things separate.
OR Two it was not hardened when the OS was installed in the first place. Either way, you've got a recipe for disaster in my opinion.

Where ever you go... Dont allow internal and external services to be mixed on an internet facing server.
Good luck in everything you do.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now