Skip to the content of the web site.

Vulnerabilities (2005)

Security >> Vulnerabilities (2005) >> 20050629

Issue: Rogue FTP Servers
Risk: Critical (active) -- marker for compromise
Date: 29-Jun-2005/22-Jul-2005

Our intrusion detection system is based on Snort and it monitors the campus network. We have noted network traffic and tested a service that looks like an odd "FTP" server on a non-standard port. FTP servers should only be found port 21/tcp.

This is very good evidence that your machine may have been compromised -- perhaps a worm installed it, or perhaps a hacker is using your system as a "Warez" site.

If you don't know why you have the odd service then you definitely have problems. We have seen many Unix and Windows machines with odd FTP servers installed by the hacker community.

You need to need to investigate your system.

Detection

You can determine the TCP services offered by your system (Unix, Windows, or etc) using the "netstat" command: 
[11:34am wally] netstat -a | grep LISTEN
  *.sunrpc             *.*                0      0 24576      0 LISTEN
  *.ftp                *.*                0      0 24576      0 LISTEN
  *.telnet             *.*                0      0 24576      0 LISTEN
  *.shell              *.*                0      0 24576      0 LISTEN
  *.login              *.*                0      0 24576      0 LISTEN
  *.12345              *.*                0      0 24576      0 LISTEN
  ...etc
In the example there are services at the sunrpc, ftp, telnet, shell, login and "12345" port numbers. You can detect an FTP service on an odd port number by connecting to that port to see the welcome banner and then probing with a few simple commands: 
[11:43am wally] telnet wally 12345
Trying 129.97.108.150...
Connected to wally.uwaterloo.ca (129.97.108.150).
Escape character is '^]'.
220 any text banner
help 
214-The following commands are recognized:
   USER    EPRT    STRU    MAIL*   ALLO    CWD     STAT*   XRMD 
   PASS    LPRT    MODE    MSND*   REST*   XCWD    HELP    PWD 
   ACCT*   EPSV    RETR    MSOM*   RNFR    LIST    NOOP    XPWD 
   REIN*   LPSV    STOR    MSAM*   RNTO    NLST    MKD     CDUP 
   QUIT    PASV    APPE    MRSQ*   ABOR    SITE*   XMKD    XCUP 
   PORT    TYPE    MLFL*   MRCP*   DELE    SYST    RMD     STOU 
214 (*'s => unimplemented)
quit
221 Goodbye.
FTP servers have a distinctive welcome banner and respond to the "help" and "quit" commands as above. Don't be conned by the welcome banner -- the text after the number can be anything.

See Also

For more information see the vulnerability notes on Sasser and related worms at:

http://ist.uwaterloo.ca/security/vulnerable/20040502.note
http://ist.uwaterloo.ca/security/vulnerable/20030808.note

Finally, if you have any questions/concerns or need help please let us know.

I am, Reg Quinton, Senior Technologist, Security (IST)
+1 519 888-4567x36070