Re: Rogue FTP Servers

[Todd Clementz <clementz.7 () OSU EDU>]

We had the same types of issues at our School before we put the firewall in.
Professors would open infected email and with the network shares we have it
didn't take long to get around.  Once we put the firewall in and blocked
everything by default then started opening ports up we were able to
eliminate the problem.  In order to use FTP access we used FTP clients that
when you open them up in passive mode you the client would be able to pick a
port and run without using the normal FTP port.

Todd Clementz
Systems Administrator
Knowlton School of Architecture
The Ohio State University
614.292.8544


----- Original Message -----
From: "Jordan Wiens" <numatrix () UFL EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, November 02, 2004 2:34 PM
Subject: Re: [SECURITY] Rogue FTP Servers


> On Tue, 2 Nov 2004, Elliott Franklin wrote:
>
> > We are experiencing a small number of compromised machines running FTP
> > servers on various non-standard ports.  The most recent port used was
> > 6366
> > and we have located this on 30 machines.  I can't find anything on any of
> > the major virus sites to help us understand how this is occurring.
> > Anyone
> > else experiencing something similar?
>
> They're usually infected with a variety of different methods.  Popular
> culprits of late (for the windows ftp zombies) have been:
>
>  1) bot infections (that spread internally via some of the other listed
> methods -- often IRC controlled, though the warez folks tend to be using
> more manual methods from what I've seen)
>  2) RPC/Netbios exploits
>  3) Weak/nonexistant passwords on local user accounts
>  4) Client-side browser exploits in IE; lots of malware is getting
> installed from users visiting malicious websites with vulnerable browsers
>
> It's hard to say for certain, but those seem to be the most common methods
> lately.  The ftp server is merely the end result of different
> hacking/warez crews using machines compromised with various methods in
> their storage networks.
>
> That said, we had one 6366 host and it looks like the crew advertising it
> was 2k2-fxp (with an ascii bat logo in their ftp banner).
>
> It looks like they use a process of net1.exe and register it as service
> net1.exe.  The servu config is pscript.ini (ignore the bogus cruft up top,
> there's a bunch of binary exe looking data that's actually just commented
> out junk with the actual config down below).
>
> Unfortunately, I can't pin down their actual method of entry for that
> paricular system, but I be as described above it's one of those.
>
> --
> Jordan Wiens, CISSP
> UF Network Security Engineer
> (352)392-2061
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.