Educause Security Discussion mailing list archives
Re: Rogue FTP Servers
From: Todd Clementz <clementz.7 () OSU EDU>
Date: Tue, 2 Nov 2004 15:25:09 -0500
We had the same types of issues at our School before we put the firewall in. Professors would open infected email and with the network shares we have it didn't take long to get around. Once we put the firewall in and blocked everything by default then started opening ports up we were able to eliminate the problem. In order to use FTP access we used FTP clients that when you open them up in passive mode you the client would be able to pick a port and run without using the normal FTP port. Todd Clementz Systems Administrator Knowlton School of Architecture The Ohio State University 614.292.8544 ----- Original Message ----- From: "Jordan Wiens" <numatrix () UFL EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, November 02, 2004 2:34 PM Subject: Re: [SECURITY] Rogue FTP Servers
On Tue, 2 Nov 2004, Elliott Franklin wrote:We are experiencing a small number of compromised machines running FTP servers on various non-standard ports. The most recent port used was 6366 and we have located this on 30 machines. I can't find anything on any of the major virus sites to help us understand how this is occurring. Anyone else experiencing something similar?They're usually infected with a variety of different methods. Popular culprits of late (for the windows ftp zombies) have been: 1) bot infections (that spread internally via some of the other listed methods -- often IRC controlled, though the warez folks tend to be using more manual methods from what I've seen) 2) RPC/Netbios exploits 3) Weak/nonexistant passwords on local user accounts 4) Client-side browser exploits in IE; lots of malware is getting installed from users visiting malicious websites with vulnerable browsers It's hard to say for certain, but those seem to be the most common methods lately. The ftp server is merely the end result of different hacking/warez crews using machines compromised with various methods in their storage networks. That said, we had one 6366 host and it looks like the crew advertising it was 2k2-fxp (with an ascii bat logo in their ftp banner). It looks like they use a process of net1.exe and register it as service net1.exe. The servu config is pscript.ini (ignore the bogus cruft up top, there's a bunch of binary exe looking data that's actually just commented out junk with the actual config down below). Unfortunately, I can't pin down their actual method of entry for that paricular system, but I be as described above it's one of those. -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Rogue FTP Servers Elliott Franklin (Nov 02)
- <Possible follow-ups>
- Re: Rogue FTP Servers John Bambenek (Nov 02)
- Re: Rogue FTP Servers Daniel Adinolfi (Nov 02)
- Re: Rogue FTP Servers Mike Iglesias (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Jordan Wiens (Nov 02)
- Re: Rogue FTP Servers Elliott Franklin (Nov 02)
- Re: Rogue FTP Servers Justin Azoff (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)
- Re: Rogue FTP Servers Schmidt, Eric W (Nov 02)
- Re: Rogue FTP Servers James H Moore (Nov 02)
- Re: Rogue FTP Servers RLVaughn (Nov 02)
- Re: Rogue FTP Servers Mark Wilson (Nov 03)
- Re: Rogue FTP Servers Jason Richardson (Nov 04)