troubleshooting Question

Tons of FTP traffic from my Win2000 server...

Avatar of DangerBabe
DangerBabe asked on
SecurityNetwork Security
10 Comments2 Solutions16094 ViewsLast Modified:
Greetings all

I have a Win2k server that I think has some kind of hacker FTP script on it.  This Win2k server is our internal DNS, DHCP, payroll, outgoing mail, and Intranet web server.  

The symptoms:  

1. I noticed the network slowing to a crawl
2. Doing a SHOW IP NAT TRANS showed TONS of FTP traffic from that Win2k server that looks like this (with varying internet IP's):

tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32778 82.65.116.206:32778
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32781 82.65.116.206:32781
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32785 82.65.116.206:32785
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32786 82.65.116.206:32786
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32788 82.65.116.206:32788
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32792 82.65.116.206:32792
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32794 82.65.116.206:32794
tcp 63.165.xxx.xxx:21   10.0.31.5:21       82.65.116.206:32797 82.65.116.206:32797    
...etc.

3. There were many entries in the event viewer that said:
Warning
Source: MSFTPSVC
Event ID: 10
User email@notset.com at host 80.14.20.91 has timed-out after 900 seconds of inactivity

**the email and IP address varied, but this one was most common

The first thing I did was update the Norton Corporate Edition definitions (they were only 1 week old), unplugged it from the network, and ran a full system scan.  Norton found nothing.  So, I plugged it back in, downloaded the latest AdAware reference file, unplugged it, scanned, and only found 4 objects.  I had AdAware remove them.  Unfortuntely, when I plugged the server back in, a few seconds later, tons of FTP traffic spewed forth again.  Also, Windows Updates were downloaded a week or so ago.

So right now, the server is unplugged from the network.   Unfortunately again, I have little experience with access-lists, ours was configured by someone else, but I noticed our incoming access-list is not blocking FTP traffic.  Since this is an internal server only, I [b]added[/b] a couple of lines in the existing inbound access-list on the router that say:

deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp-data    

This has not stopped the traffic problem.  Is the syntax right?  My next thought is to add deny ftp entries on the outbound access list.  If the FTP traffic is originating from an internet source, then blocking the FTP port should've fixed the problem.  If the traffic is coming from the Win2k server, then blocking outbound FTP will only alleviate the symptoms and not cause of the traffic.  

At this point, I wasn't sure who to call...Microsoft, Symantec, or the restaurant next door for lunch lol.  There aren't any network security engineers in this area, so I thought I'd ask you guys for help.  :)

Additional information:  This server sits behind 2 routers.  The KDH router, which connects to the internet and has the ACL's and NAT configured, and the Harb router that's local to the Win2k server.  Normal pings from the Harb router to the main KDH router are around 12ms.  When the FTP traffic was spiking, I was getting 1200 to 2200ms ping times, and not many time outs.

Any help would be GREATLY appreciated!

DB



Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 10 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros