> On the 24th our ISP pulled the plug on our co-located servers.
> They said our servers were pumping 20 mbs each of data through
> the network. Upon investigation, we found around 20 ping.exe
> processes running in the task manager. As soon as we rebooted,
> the ping.exe processes were gone and everything was fine. The
> ping processes were pinging yahoo.com BTW.
>
> One of the network engineers at the center said that he was
> familiar with this hack. He said that:
>
> "There is a program out on the net called Win Management, with
> it a hacker can "sneak" into the FTP port (as he explained it,
> they ride on the coat-tails of an active FTP user), then they
> run rsh.exe and spawn the ping.exe processes."
>
> I was wondering if this is in fact an exploit in Serv-u (which
> we use) or any FTP server for that matter.
>
> What we did, anyway, was to change the FTP port from 21 to a
> higher value.
>
> Does any one know if the network engineer's assessment of this
> hack is accurate or not?
While this isn't my area of expertise, it sounds a bit fishy to me.
First of all, it seems odd that a program could "sneak into the FTP port".
While TCP hijacking is possible, it's more likely that the hijacker would
simply record FTP usernames and passwords, then connect later. Also, to run
rsh against your server, that server has to be running the remote shell
service (rshsvc), which you wouldn't install on a publicly-accessible web
server, so they'd have to upload the service binaries, then get them
installed. To install a service requires administrator privileges, so they'd
have to get an admin username and password from reading the FTP traffic, or
by getting some other process to do the installation, such as the at
service. That's a lot of work just to run twenty copies of ping.
Second, I couldn't find any mention of either "Win Management" or the
described hack in searches against securityfocus.com or other big lists.
Nevertheless, I suppose that something happened to get all those ping
instances going. And, of course, I'm a programmer, not a network or security
engineer, so who knows what's possible?
Changing the FTP port probably won't help much; it's easy enough to scan the
machines to find the listening ports, and if someone's already got remote
shell access, they don't need FTP anymore. You'll need to thoroughly clean
the machines to ensure that there aren't any backdoors. When you do that,
you might decide against allowing people to upload executable content via
FTP.
I'd certainly be interested in hearing more as you learn about it.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
