Educause Security Discussion mailing list archives
Re: Rogue FTP Servers
From: Jason Richardson <A00JER2 () WPO CSO NIU EDU>
Date: Thu, 4 Nov 2004 16:05:18 -0600
We found 15, all running FTP on port 1625. Most were Windows clients but a couple were fully patched Windows 2000 servers which had our Windows server support group pretty confused (and irritated). --- Jason Richardson Manager, IT Security and Client Development Enterprise Systems Support Northern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edu
wilsodm () AUBURN EDU 11/3/2004 4:20:20 PM >>>
We found the same thing here at AU. Port 113/tcp open and high ftp port usually indicates it may be part of a Botnet and serving warez. I wrote an expect script that telnets into port 113 and grabs the banner, which usually looks like: : USERID : UNIX : Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
wm63 () CORNELL EDU 11/2/2004 3:20:34 PM >>>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, November 02, 2004 3:16 PM -0500 Justin Azoff <JAzoff () UAMAIL ALBANY EDU> wrote:
On Tue, 2004-11-02 at 14:28, Anderson, Brandie wrote:Does the banner say anything about "pubstro"?I found one that had a banner of: 220-FTP SerVeR ReADy 220-_______________________________________________ 220- - = ] MadHouse [ = - 220-??????????????????????????????????????????????? 220- This Stro is Brought You By Divx_due 220- & Evisu! 220- ____________ 220- User iNFO : ..... Does "Stro" mean something in another language? -- -- Justin Azoff -- Network Performance Analyst
We've seen all manner of different banners and ports. One banner in particular was drawn directly from OpenSSH and clearly intended to mimic an SSH server -- only the '220' at the front was the giveaway. Ports are chosen at random and one machine often has several FTP servers present. About the only consistency we saw recently was the presence of an ident listener (113/tcp) on botted systems. Finding this more often than not led to finding FTP servers on high ports. Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -----BEGIN PGP SIGNATURE----- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBQYf6I8RE6QfTb3V0EQLvnACg6yAntrx0e9dvZWUBs9rJQ9x1RqsAoJdA VEu4uSUT05AGyxjHEeuTHBab =8Wzd -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Rogue FTP Servers, (continued)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)
- Re: Rogue FTP Servers Schmidt, Eric W (Nov 02)
- Re: Rogue FTP Servers James H Moore (Nov 02)
- Re: Rogue FTP Servers RLVaughn (Nov 02)
- Re: Rogue FTP Servers Mark Wilson (Nov 03)
- Re: Rogue FTP Servers Jason Richardson (Nov 04)