Re: Rogue FTP Servers

[Jordan Wiens <numatrix () UFL EDU>]

On Tue, 2 Nov 2004, Elliott Franklin wrote:

> We are experiencing a small number of compromised machines running FTP
> servers on various non-standard ports.  The most recent port used was 6366
> and we have located this on 30 machines.  I can't find anything on any of
> the major virus sites to help us understand how this is occurring.  Anyone
> else experiencing something similar?

They're usually infected with a variety of different methods.  Popular
culprits of late (for the windows ftp zombies) have been:

  1) bot infections (that spread internally via some of the other listed
methods -- often IRC controlled, though the warez folks tend to be using
more manual methods from what I've seen)
  2) RPC/Netbios exploits
  3) Weak/nonexistant passwords on local user accounts
  4) Client-side browser exploits in IE; lots of malware is getting
installed from users visiting malicious websites with vulnerable browsers

It's hard to say for certain, but those seem to be the most common methods
lately.  The ftp server is merely the end result of different
hacking/warez crews using machines compromised with various methods in
their storage networks.

That said, we had one 6366 host and it looks like the crew advertising it
was 2k2-fxp (with an ascii bat logo in their ftp banner).

It looks like they use a process of net1.exe and register it as service
net1.exe.  The servu config is pscript.ini (ignore the bogus cruft up top,
there's a bunch of binary exe looking data that's actually just commented
out junk with the actual config down below).

Unfortunately, I can't pin down their actual method of entry for that
paricular system, but I be as described above it's one of those.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.