Tons of FTP traffic from my Win2000 server...
Posted on 2004-03-29
I have a Win2k server that I think has some kind of hacker FTP script on it. This Win2k server is our internal DNS, DHCP, payroll, outgoing mail, and Intranet web server.
1. I noticed the network slowing to a crawl
2. Doing a SHOW IP NAT TRANS showed TONS of FTP traffic from that Win2k server that looks like this (with varying internet IP's):
tcp 63.165.xxx.xxx:21 10.0.31.5:21 184.108.40.206:32778 220.127.116.11:32778
tcp 63.165.xxx.xxx:21 10.0.31.5:21 18.104.22.168:32781 22.214.171.124:32781
tcp 63.165.xxx.xxx:21 10.0.31.5:21 126.96.36.199:32785 188.8.131.52:32785
tcp 63.165.xxx.xxx:21 10.0.31.5:21 184.108.40.206:32786 220.127.116.11:32786
tcp 63.165.xxx.xxx:21 10.0.31.5:21 18.104.22.168:32788 22.214.171.124:32788
tcp 63.165.xxx.xxx:21 10.0.31.5:21 126.96.36.199:32792 188.8.131.52:32792
tcp 63.165.xxx.xxx:21 10.0.31.5:21 184.108.40.206:32794 220.127.116.11:32794
tcp 63.165.xxx.xxx:21 10.0.31.5:21 18.104.22.168:32797 22.214.171.124:32797
3. There were many entries in the event viewer that said:
Event ID: 10
User email@example.com at host 126.96.36.199 has timed-out after 900 seconds of inactivity
**the email and IP address varied, but this one was most common
The first thing I did was update the Norton Corporate Edition definitions (they were only 1 week old), unplugged it from the network, and ran a full system scan. Norton found nothing. So, I plugged it back in, downloaded the latest AdAware reference file, unplugged it, scanned, and only found 4 objects. I had AdAware remove them. Unfortuntely, when I plugged the server back in, a few seconds later, tons of FTP traffic spewed forth again. Also, Windows Updates were downloaded a week or so ago.
So right now, the server is unplugged from the network. Unfortunately again, I have little experience with access-lists, ours was configured by someone else, but I noticed our incoming access-list is not blocking FTP traffic. Since this is an internal server only, I [b]added[/b] a couple of lines in the existing inbound access-list on the router that say:
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp
deny tcp any 63.165.xxx.xxx 0.0.0.31 eq ftp-data
This has not stopped the traffic problem. Is the syntax right? My next thought is to add deny ftp entries on the outbound access list. If the FTP traffic is originating from an internet source, then blocking the FTP port should've fixed the problem. If the traffic is coming from the Win2k server, then blocking outbound FTP will only alleviate the symptoms and not cause of the traffic.
At this point, I wasn't sure who to call...Microsoft, Symantec, or the restaurant next door for lunch lol. There aren't any network security engineers in this area, so I thought I'd ask you guys for help. :)
Additional information: This server sits behind 2 routers. The KDH router, which connects to the internet and has the ACL's and NAT configured, and the Harb router that's local to the Win2k server. Normal pings from the Harb router to the main KDH router are around 12ms. When the FTP traffic was spiking, I was getting 1200 to 2200ms ping times, and not many time outs.
Any help would be GREATLY appreciated!