Educause Security Discussion mailing list archives
Re: Rogue FTP Servers
From: Jordan Wiens <numatrix () UFL EDU>
Date: Tue, 2 Nov 2004 14:34:16 -0500
On Tue, 2 Nov 2004, Elliott Franklin wrote:
We are experiencing a small number of compromised machines running FTP servers on various non-standard ports. The most recent port used was 6366 and we have located this on 30 machines. I can't find anything on any of the major virus sites to help us understand how this is occurring. Anyone else experiencing something similar?
They're usually infected with a variety of different methods. Popular culprits of late (for the windows ftp zombies) have been: 1) bot infections (that spread internally via some of the other listed methods -- often IRC controlled, though the warez folks tend to be using more manual methods from what I've seen) 2) RPC/Netbios exploits 3) Weak/nonexistant passwords on local user accounts 4) Client-side browser exploits in IE; lots of malware is getting installed from users visiting malicious websites with vulnerable browsers It's hard to say for certain, but those seem to be the most common methods lately. The ftp server is merely the end result of different hacking/warez crews using machines compromised with various methods in their storage networks. That said, we had one 6366 host and it looks like the crew advertising it was 2k2-fxp (with an ascii bat logo in their ftp banner). It looks like they use a process of net1.exe and register it as service net1.exe. The servu config is pscript.ini (ignore the bogus cruft up top, there's a bunch of binary exe looking data that's actually just commented out junk with the actual config down below). Unfortunately, I can't pin down their actual method of entry for that paricular system, but I be as described above it's one of those. -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Rogue FTP Servers Elliott Franklin (Nov 02)
- <Possible follow-ups>
- Re: Rogue FTP Servers John Bambenek (Nov 02)
- Re: Rogue FTP Servers Daniel Adinolfi (Nov 02)
- Re: Rogue FTP Servers Mike Iglesias (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Jordan Wiens (Nov 02)
- Re: Rogue FTP Servers Elliott Franklin (Nov 02)
- Re: Rogue FTP Servers Justin Azoff (Nov 02)
- Re: Rogue FTP Servers Anderson, Brandie (Nov 02)
- Re: Rogue FTP Servers Todd Clementz (Nov 02)
- Re: Rogue FTP Servers Lucas, Bryan (Nov 02)
- Re: Rogue FTP Servers Geoff (Nov 02)
- Re: Rogue FTP Servers Brian Eckman (Nov 02)
- Re: Rogue FTP Servers Wyman Miles (Nov 02)
- Re: Rogue FTP Servers Schmidt, Eric W (Nov 02)
- Re: Rogue FTP Servers James H Moore (Nov 02)
(Thread continues...)