Tons of FTP traffic from my Win2000 server...

Posted on 2004-03-29
Last Modified: 2007-12-19
Greetings all

I have a Win2k server that I think has some kind of hacker FTP script on it.  This Win2k server is our internal DNS, DHCP, payroll, outgoing mail, and Intranet web server.  

The symptoms:  

1. I noticed the network slowing to a crawl
2. Doing a SHOW IP NAT TRANS showed TONS of FTP traffic from that Win2k server that looks like this (with varying internet IP's):


3. There were many entries in the event viewer that said:
Event ID: 10
User at host has timed-out after 900 seconds of inactivity

**the email and IP address varied, but this one was most common

The first thing I did was update the Norton Corporate Edition definitions (they were only 1 week old), unplugged it from the network, and ran a full system scan.  Norton found nothing.  So, I plugged it back in, downloaded the latest AdAware reference file, unplugged it, scanned, and only found 4 objects.  I had AdAware remove them.  Unfortuntely, when I plugged the server back in, a few seconds later, tons of FTP traffic spewed forth again.  Also, Windows Updates were downloaded a week or so ago.

So right now, the server is unplugged from the network.   Unfortunately again, I have little experience with access-lists, ours was configured by someone else, but I noticed our incoming access-list is not blocking FTP traffic.  Since this is an internal server only, I [b]added[/b] a couple of lines in the existing inbound access-list on the router that say:

deny tcp any eq ftp
deny tcp any eq ftp-data    

This has not stopped the traffic problem.  Is the syntax right?  My next thought is to add deny ftp entries on the outbound access list.  If the FTP traffic is originating from an internet source, then blocking the FTP port should've fixed the problem.  If the traffic is coming from the Win2k server, then blocking outbound FTP will only alleviate the symptoms and not cause of the traffic.  

At this point, I wasn't sure who to call...Microsoft, Symantec, or the restaurant next door for lunch lol.  There aren't any network security engineers in this area, so I thought I'd ask you guys for help.  :)

Additional information:  This server sits behind 2 routers.  The KDH router, which connects to the internet and has the ACL's and NAT configured, and the Harb router that's local to the Win2k server.  Normal pings from the Harb router to the main KDH router are around 12ms.  When the FTP traffic was spiking, I was getting 1200 to 2200ms ping times, and not many time outs.

Any help would be GREATLY appreciated!


Question by:DangerBabe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 33

Expert Comment

ID: 10706143
Are there any unknown services running on the server?

Assisted Solution

fcisler earned 62 total points
ID: 10707990
well heres what i would do, if you've allready done any of this excuse me

make sure that it IS the ftp. If you disable and traffic goes back to normal, proceed

make a new user account with admin rights then disable every other account.
If the traffic goes down to normal, well then we got ourselves a cracked account (it's not to late to mention that guest access should ALWAYS be disabled?)
If traffic is normal with all accounts disabled but this "new" account, then proceed

enable all admin accounts again. Check traffic. Enable all service accounts....check traffic....i think you get the point here, try and narrow down the account they are using

also, go into IIS manager....right click the ftp server and click "current sessions"

see what account is logging in.
See if you can narrow down whats going on and post it here.

Author Comment

ID: 10708692
Thanks for the replies guys!  Strangely, when I was typing a response here earlier, I noticed my pings return to normal (after I had plugged the server back into the network to see if I could spot any unusual processes), so I've been watching it for awhile.  So far, everything looks back to normal without me having done anything.

Here's a list of processes that was running while the traffic was heavy....

System Idel Process  

The tb* entries are TimBukTu, which is not configured to use a modem, the only user account configured to access it remotely is mine, and guest access is disabled.

Oop, I forgot to add in my first message that I tried disabling FTP Publishing Service from the Services listing and also tried stopping the Default FTP site under IIS.  Neither seemed to affect the traffic.  Is there another place to disable FTP?  Also, the Win2000 guest account is disabled.  If the FTP traffic starts back up again, I'll definately check the current sessions under the IIS manager.

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Expert Comment

ID: 10709176
Do you have any windows xp computers on the network?

Accepted Solution

browman earned 63 total points
ID: 10714357
Could be some kind of trojan, or an FTP server in one of those other processes.

Try running TDIMON from Sysinternals for a few hours, even try making an FTP connection to your machine from elsewhere.  This will show you which processes are responding to which ports.

URL for the software (freeware) is:

Look for processes that are responding to incoming TCP packets on port 21, and kill them off one by one.

Expert Comment

ID: 10714598
Just noticed you're running behind NAT... nothing from the outside world should be able to see your Win2K box unless you have a port forward set up to direct all port 21 requests to that machine from the outside world.

What type of router/firewall are you running?

Author Comment

ID: 10724288
Yes, we have a mixture of Win98, XP, and about 4 ME machines.  There're about 100 PC's on the network.

Thanks for the TDIMon link!  It's now installed and has been running since 9:05 US Eastern time on March 31.  So far, there hasn't been a flood of FTP traffic.
Both the main router in the headquarters office (KDH) and the router in the other office local to the 2k server (Harb) are Cisco 2620's.  As far as the firewall settings, we're running access-lists only (as far as I know, since I'm still a n00b with routers and firewalls).  The company hired a guy a couple years ago to configure the routers.  My first thought was how someone could have gotten in to see the win2k box behind NAT since I don't have any public IP's set up on it either.  I certainly didn't setup any port fowarding.  Is port forwarding on a 2620 setup in the access-lists?  Speaking of public IP's and port forwarding, this server is running a small internal website and has been for over a year.  As of a month or so ago, there's a new person who has taken over maintaing the website, and she's using an FTP software to upload her site changes instead of FrontPage like the previous person.  Could she have done something on her end to open up the internal site to the public?


Expert Comment

ID: 10730966
I can't speak for the particular router that you've got, but if you're running a web server and FTP server from inside a NAT subnet, then yes, you'll have port forwarding dealing with that side of things, probably on both ports 80 and 21 by the sound of things.

Best practice is to use a separate IP address and a separate bridged subnet (called a DMZ) for this kind of approach.  That way, if anyone does compromise your public box, they can't then use it to get into your network.

Whenever you have an active public FTP server running, you're always going to get some opportunist hacking attempts.  It sounds like you've got onto someone's "must crack" list.  As long as you aren't allowing anonymous access, and you've got reliable and secure FTP server software, that's about the best you can do, although you could theoretically limit the IP ranges that can connect via FTP (depending on the router).


Author Comment

ID: 10745819
Hmmm....They should only be ftp'ing to the intranet site from [b]inside[/b] the network.  This box isn't supposed to be accessable to the public, so there wouldn't be a point of sticking it in a DMZ.

In other words, this Win2k box is only supposed to be providing DNS, DHCP, and hosting internal web sites, and those sites should only be able to be modified and viewed internally.

But on another note, since my first post was how to stop the flood of traffic to and/or from the Win2k box, and mysteriously, there has been no more sign of that traffic since the 29th, and I'm leaving this job and relocating to another city in about 2 weeks, I suppose I should go ahead and award points?  Since this is my first ever topic, I'm not sure how to award points since the problem ended on it's own.  I was thinking of splitting the points between fcisler and browman's tdimon reply.

Expert Comment

ID: 10973551

Lets start at the basics (sorry if I'm getting into this late in the game). Your behind NAT.

First things first, disable access to your box through FTP ports. Cut and dry. If there is no mapping to that box, they wont get to it on those ports.

If you dont need FTP services, Deny it to everyone outside your network. Half your problem is solved.

Next, have a look at your traffic with the utilities from above and see where your traffic is coming from if its even there anymore at all.

The DMZ. Although it DOES protect your network from someone who takes over your box, it DOES expose your box to the world unless you are savvy enough to configure your rules properly. May I suggest a NAT'ed subnet for your public servers, and another subnet for your corporate network?
Well, you choose your poison on that one.

I had a quick look at what services you have running on your server.
The attention getters there are:

tb2pro.exe (are you running remote administration tool Timbuktu(sp) ? dangerous to have this internet facing easy to hack.)
WebAdmin.exe  (how many remote administration tools do you need anyway?)
termsrv.exe (Terminal services?, this is getting ugly)
xfr.exe (Intel File Transfer? This server is managing clients? is this a web server or what?)

ok, enough of that. It appears to me that this server is either one, WAY over tasked. Not saying that its being over worked, but its doing a bit too much.
And it appears that its performing both public services and private services. Its a good idea to keep these things separate.
OR Two it was not hardened when the OS was installed in the first place. Either way, you've got a recipe for disaster in my opinion.

Where ever you go... Dont allow internal and external services to be mixed on an internet facing server.
Good luck in everything you do.

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question