Educause Security Discussion mailing list archives

Re: Rogue FTP Servers

From: Jason Richardson <A00JER2 () WPO CSO NIU EDU>
Date: Thu, 4 Nov 2004 16:05:18 -0600

We found 15, all running FTP on port 1625.  Most were Windows clients
but a couple were fully patched Windows 2000 servers which had our
Windows server support group pretty confused (and irritated).

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich () niu edu

wilsodm () AUBURN EDU 11/3/2004 4:20:20 PM >>>

We found the same thing here at AU.  Port 113/tcp open and high ftp
port
usually indicates it may be part of a Botnet and serving warez.  I
wrote
an expect script that telnets into port 113 and grabs the banner,
which
usually looks like:
: USERID : UNIX :



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

wm63 () CORNELL EDU 11/2/2004 3:20:34 PM >>>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Tuesday, November 02, 2004 3:16 PM -0500 Justin Azoff
<JAzoff () UAMAIL ALBANY EDU> wrote:

On Tue, 2004-11-02 at 14:28, Anderson, Brandie wrote:

Does the banner say anything about "pubstro"?


I found one that had a banner of:
220-FTP SerVeR ReADy
220-_______________________________________________
220-                      - = ] MadHouse [ = -
220-???????????????????????????????????????????????
220-         This Stro is Brought You By Divx_due
220-                    & Evisu!
220-                ____________
220-                 User iNFO :
.....

Does "Stro" mean something in another language?

--
-- Justin Azoff
-- Network Performance Analyst


We've seen all manner of different banners and ports.  One banner in
particular was drawn directly from OpenSSH and clearly intended to
mimic an
SSH server -- only the '220' at the front was the giveaway.  Ports are
chosen at random and one machine often has several FTP servers
present.

About the only consistency we saw recently was the presence of an
ident
listener (113/tcp) on botted systems.  Finding this more often than
not
led
to finding FTP servers on high ports.


Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQYf6I8RE6QfTb3V0EQLvnACg6yAntrx0e9dvZWUBs9rJQ9x1RqsAoJdA
VEu4uSUT05AGyxjHEeuTHBab
=8Wzd
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Rogue FTP Servers, (continued)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)
- Re: Rogue FTP Servers Schmidt, Eric W (Nov 02)
- Re: Rogue FTP Servers James H Moore (Nov 02)
- Re: Rogue FTP Servers RLVaughn (Nov 02)
- Re: Rogue FTP Servers Mark Wilson (Nov 03)
- Re: Rogue FTP Servers Jason Richardson (Nov 04)