DangerBabe
asked on
Tons of FTP traffic from my Win2000 server...
Greetings all
I have a Win2k server that I think has some kind of hacker FTP script on it. This Win2k server is our internal DNS, DHCP, payroll, outgoing mail, and Intranet web server.
The symptoms:
1. I noticed the network slowing to a crawl
2. Doing a SHOW IP NAT TRANS showed TONS of FTP traffic from that Win2k server that looks like this (with varying internet IP's):
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32778 82.65.116.206:32778
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32781 82.65.116.206:32781
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32785 82.65.116.206:32785
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32786 82.65.116.206:32786
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32788 82.65.116.206:32788
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32792 82.65.116.206:32792
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32794 82.65.116.206:32794
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32797 82.65.116.206:32797
...etc.
3. There were many entries in the event viewer that said:
Warning
Source: MSFTPSVC
Event ID: 10
User email@notset.com at host 80.14.20.91 has timed-out after 900 seconds of inactivity
**the email and IP address varied, but this one was most common
The first thing I did was update the Norton Corporate Edition definitions (they were only 1 week old), unplugged it from the network, and ran a full system scan. Norton found nothing. So, I plugged it back in, downloaded the latest AdAware reference file, unplugged it, scanned, and only found 4 objects. I had AdAware remove them. Unfortuntely, when I plugged the server back in, a few seconds later, tons of FTP traffic spewed forth again. Also, Windows Updates were downloaded a week or so ago.
So right now, the server is unplugged from the network. Unfortunately again, I have little experience with access-lists, ours was configured by someone else, but I noticed our incoming access-list is not blocking FTP traffic. Since this is an internal server only, I [b]added[/b] a couple of lines in the existing inbound access-list on the router that say:
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp-data
This has not stopped the traffic problem. Is the syntax right? My next thought is to add deny ftp entries on the outbound access list. If the FTP traffic is originating from an internet source, then blocking the FTP port should've fixed the problem. If the traffic is coming from the Win2k server, then blocking outbound FTP will only alleviate the symptoms and not cause of the traffic.
At this point, I wasn't sure who to call...Microsoft, Symantec, or the restaurant next door for lunch lol. There aren't any network security engineers in this area, so I thought I'd ask you guys for help. :)
Additional information: This server sits behind 2 routers. The KDH router, which connects to the internet and has the ACL's and NAT configured, and the Harb router that's local to the Win2k server. Normal pings from the Harb router to the main KDH router are around 12ms. When the FTP traffic was spiking, I was getting 1200 to 2200ms ping times, and not many time outs.
Any help would be GREATLY appreciated!
DB
I have a Win2k server that I think has some kind of hacker FTP script on it. This Win2k server is our internal DNS, DHCP, payroll, outgoing mail, and Intranet web server.
The symptoms:
1. I noticed the network slowing to a crawl
2. Doing a SHOW IP NAT TRANS showed TONS of FTP traffic from that Win2k server that looks like this (with varying internet IP's):
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32778 82.65.116.206:32778
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32781 82.65.116.206:32781
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32785 82.65.116.206:32785
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32786 82.65.116.206:32786
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32788 82.65.116.206:32788
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32792 82.65.116.206:32792
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32794 82.65.116.206:32794
tcp 63.165.xxx.xxx:21 10.0.31.5:21 82.65.116.206:32797 82.65.116.206:32797
...etc.
3. There were many entries in the event viewer that said:
Warning
Source: MSFTPSVC
Event ID: 10
User email@notset.com at host 80.14.20.91 has timed-out after 900 seconds of inactivity
**the email and IP address varied, but this one was most common
The first thing I did was update the Norton Corporate Edition definitions (they were only 1 week old), unplugged it from the network, and ran a full system scan. Norton found nothing. So, I plugged it back in, downloaded the latest AdAware reference file, unplugged it, scanned, and only found 4 objects. I had AdAware remove them. Unfortuntely, when I plugged the server back in, a few seconds later, tons of FTP traffic spewed forth again. Also, Windows Updates were downloaded a week or so ago.
So right now, the server is unplugged from the network. Unfortunately again, I have little experience with access-lists, ours was configured by someone else, but I noticed our incoming access-list is not blocking FTP traffic. Since this is an internal server only, I [b]added[/b] a couple of lines in the existing inbound access-list on the router that say:
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp-data
This has not stopped the traffic problem. Is the syntax right? My next thought is to add deny ftp entries on the outbound access list. If the FTP traffic is originating from an internet source, then blocking the FTP port should've fixed the problem. If the traffic is coming from the Win2k server, then blocking outbound FTP will only alleviate the symptoms and not cause of the traffic.
At this point, I wasn't sure who to call...Microsoft, Symantec, or the restaurant next door for lunch lol. There aren't any network security engineers in this area, so I thought I'd ask you guys for help. :)
Additional information: This server sits behind 2 routers. The KDH router, which connects to the internet and has the ACL's and NAT configured, and the Harb router that's local to the Win2k server. Normal pings from the Harb router to the main KDH router are around 12ms. When the FTP traffic was spiking, I was getting 1200 to 2200ms ping times, and not many time outs.
Any help would be GREATLY appreciated!
DB
Shalom Carmel
Are there any unknown services running on the server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies guys! Strangely, when I was typing a response here earlier, I noticed my pings return to normal (after I had plugged the server back into the network to see if I could spot any unusual processes), so I've been watching it for awhile. So far, everything looks back to normal without me having done anything.
@Shalomc
Here's a list of processes that was running while the traffic was heavy....
System Idel Process
MDaemon.exe
rtvscan.exe
System
CFEngine.exe
explorer.exe
wperl.exe
inetinfo.exe
LSASS.EXE
ntfrs.exe
tcpsvcs.exe
SERVICES.EXE
WINLOGON.EXE
WebAdmin.exe
DNS.EXE
spoolsv.exe
TASKMGR.EXE
CSRSS.EXE
svchost.exe
termsrv.exe
dfssvc.exe
WinMgmt.exe
LLSSRV.EXE
IcePack.exe
svchost.exe
HNDLRSVC.EXE
IAO.EXE
NTVDM.EXE
ismserv.exe
pds.exe
Syslogd_Service
svchost.exe
MSGSYS.EXE
msdtc.exe
NcsTop.exe
mstask.exe
tb2pro.exe
qserver.exe
XFR.EXE
DLLHOST.EXE
ScanExplicit.ex
LOCATOR.EXE
kodakimg.exe
tb2launch.exe
regsvc.exe
lxsupmon.exe
DBNTSRV.EXE
svchost.exe
vptray.exe
defwatch.exe
svchost.exe
SMSS.EXE
TNotify.exe
tb2logon.exe
The tb* entries are TimBukTu, which is not configured to use a modem, the only user account configured to access it remotely is mine, and guest access is disabled.
@fcisler
Oop, I forgot to add in my first message that I tried disabling FTP Publishing Service from the Services listing and also tried stopping the Default FTP site under IIS. Neither seemed to affect the traffic. Is there another place to disable FTP? Also, the Win2000 guest account is disabled. If the FTP traffic starts back up again, I'll definately check the current sessions under the IIS manager.
@Shalomc
Here's a list of processes that was running while the traffic was heavy....
System Idel Process
MDaemon.exe
rtvscan.exe
System
CFEngine.exe
explorer.exe
wperl.exe
inetinfo.exe
LSASS.EXE
ntfrs.exe
tcpsvcs.exe
SERVICES.EXE
WINLOGON.EXE
WebAdmin.exe
DNS.EXE
spoolsv.exe
TASKMGR.EXE
CSRSS.EXE
svchost.exe
termsrv.exe
dfssvc.exe
WinMgmt.exe
LLSSRV.EXE
IcePack.exe
svchost.exe
HNDLRSVC.EXE
IAO.EXE
NTVDM.EXE
ismserv.exe
pds.exe
Syslogd_Service
svchost.exe
MSGSYS.EXE
msdtc.exe
NcsTop.exe
mstask.exe
tb2pro.exe
qserver.exe
XFR.EXE
DLLHOST.EXE
ScanExplicit.ex
LOCATOR.EXE
kodakimg.exe
tb2launch.exe
regsvc.exe
lxsupmon.exe
DBNTSRV.EXE
svchost.exe
vptray.exe
defwatch.exe
svchost.exe
SMSS.EXE
TNotify.exe
tb2logon.exe
The tb* entries are TimBukTu, which is not configured to use a modem, the only user account configured to access it remotely is mine, and guest access is disabled.
@fcisler
Oop, I forgot to add in my first message that I tried disabling FTP Publishing Service from the Services listing and also tried stopping the Default FTP site under IIS. Neither seemed to affect the traffic. Is there another place to disable FTP? Also, the Win2000 guest account is disabled. If the FTP traffic starts back up again, I'll definately check the current sessions under the IIS manager.
Do you have any windows xp computers on the network?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just noticed you're running behind NAT... nothing from the outside world should be able to see your Win2K box unless you have a port forward set up to direct all port 21 requests to that machine from the outside world.
What type of router/firewall are you running?
What type of router/firewall are you running?
ASKER
@Chris
Yes, we have a mixture of Win98, XP, and about 4 ME machines. There're about 100 PC's on the network.
@browman
Thanks for the TDIMon link! It's now installed and has been running since 9:05 US Eastern time on March 31. So far, there hasn't been a flood of FTP traffic.
Both the main router in the headquarters office (KDH) and the router in the other office local to the 2k server (Harb) are Cisco 2620's. As far as the firewall settings, we're running access-lists only (as far as I know, since I'm still a n00b with routers and firewalls). The company hired a guy a couple years ago to configure the routers. My first thought was how someone could have gotten in to see the win2k box behind NAT since I don't have any public IP's set up on it either. I certainly didn't setup any port fowarding. Is port forwarding on a 2620 setup in the access-lists? Speaking of public IP's and port forwarding, this server is running a small internal website and has been for over a year. As of a month or so ago, there's a new person who has taken over maintaing the website, and she's using an FTP software to upload her site changes instead of FrontPage like the previous person. Could she have done something on her end to open up the internal site to the public?
Yes, we have a mixture of Win98, XP, and about 4 ME machines. There're about 100 PC's on the network.
@browman
Thanks for the TDIMon link! It's now installed and has been running since 9:05 US Eastern time on March 31. So far, there hasn't been a flood of FTP traffic.
Both the main router in the headquarters office (KDH) and the router in the other office local to the 2k server (Harb) are Cisco 2620's. As far as the firewall settings, we're running access-lists only (as far as I know, since I'm still a n00b with routers and firewalls). The company hired a guy a couple years ago to configure the routers. My first thought was how someone could have gotten in to see the win2k box behind NAT since I don't have any public IP's set up on it either. I certainly didn't setup any port fowarding. Is port forwarding on a 2620 setup in the access-lists? Speaking of public IP's and port forwarding, this server is running a small internal website and has been for over a year. As of a month or so ago, there's a new person who has taken over maintaing the website, and she's using an FTP software to upload her site changes instead of FrontPage like the previous person. Could she have done something on her end to open up the internal site to the public?
I can't speak for the particular router that you've got, but if you're running a web server and FTP server from inside a NAT subnet, then yes, you'll have port forwarding dealing with that side of things, probably on both ports 80 and 21 by the sound of things.
Best practice is to use a separate IP address and a separate bridged subnet (called a DMZ) for this kind of approach. That way, if anyone does compromise your public box, they can't then use it to get into your network.
Whenever you have an active public FTP server running, you're always going to get some opportunist hacking attempts. It sounds like you've got onto someone's "must crack" list. As long as you aren't allowing anonymous access, and you've got reliable and secure FTP server software, that's about the best you can do, although you could theoretically limit the IP ranges that can connect via FTP (depending on the router).
Best practice is to use a separate IP address and a separate bridged subnet (called a DMZ) for this kind of approach. That way, if anyone does compromise your public box, they can't then use it to get into your network.
Whenever you have an active public FTP server running, you're always going to get some opportunist hacking attempts. It sounds like you've got onto someone's "must crack" list. As long as you aren't allowing anonymous access, and you've got reliable and secure FTP server software, that's about the best you can do, although you could theoretically limit the IP ranges that can connect via FTP (depending on the router).
ASKER
@browman
Hmmm....They should only be ftp'ing to the intranet site from [b]inside[/b] the network. This box isn't supposed to be accessable to the public, so there wouldn't be a point of sticking it in a DMZ.
In other words, this Win2k box is only supposed to be providing DNS, DHCP, and hosting internal web sites, and those sites should only be able to be modified and viewed internally.
But on another note, since my first post was how to stop the flood of traffic to and/or from the Win2k box, and mysteriously, there has been no more sign of that traffic since the 29th, and I'm leaving this job and relocating to another city in about 2 weeks, I suppose I should go ahead and award points? Since this is my first ever topic, I'm not sure how to award points since the problem ended on it's own. I was thinking of splitting the points between fcisler and browman's tdimon reply.
Hmmm....They should only be ftp'ing to the intranet site from [b]inside[/b] the network. This box isn't supposed to be accessable to the public, so there wouldn't be a point of sticking it in a DMZ.
In other words, this Win2k box is only supposed to be providing DNS, DHCP, and hosting internal web sites, and those sites should only be able to be modified and viewed internally.
But on another note, since my first post was how to stop the flood of traffic to and/or from the Win2k box, and mysteriously, there has been no more sign of that traffic since the 29th, and I'm leaving this job and relocating to another city in about 2 weeks, I suppose I should go ahead and award points? Since this is my first ever topic, I'm not sure how to award points since the problem ended on it's own. I was thinking of splitting the points between fcisler and browman's tdimon reply.
Lets start at the basics (sorry if I'm getting into this late in the game). Your behind NAT.
First things first, disable access to your box through FTP ports. Cut and dry. If there is no mapping to that box, they wont get to it on those ports.
If you dont need FTP services, Deny it to everyone outside your network. Half your problem is solved.
Next, have a look at your traffic with the utilities from above and see where your traffic is coming from if its even there anymore at all.
The DMZ. Although it DOES protect your network from someone who takes over your box, it DOES expose your box to the world unless you are savvy enough to configure your rules properly. May I suggest a NAT'ed subnet for your public servers, and another subnet for your corporate network?
Well, you choose your poison on that one.
I had a quick look at what services you have running on your server.
The attention getters there are:
tb2pro.exe (are you running remote administration tool Timbuktu(sp) ? dangerous to have this internet facing easy to hack.)
WebAdmin.exe (how many remote administration tools do you need anyway?)
termsrv.exe (Terminal services?, this is getting ugly)
xfr.exe (Intel File Transfer? This server is managing clients? is this a web server or what?)
ok, enough of that. It appears to me that this server is either one, WAY over tasked. Not saying that its being over worked, but its doing a bit too much.
And it appears that its performing both public services and private services. Its a good idea to keep these things separate.
OR Two it was not hardened when the OS was installed in the first place. Either way, you've got a recipe for disaster in my opinion.
Where ever you go... Dont allow internal and external services to be mixed on an internet facing server.
Good luck in everything you do.