Hello:

I've believe my FTP server has been compromised/backdoor  but am having
trouble identifying the particulars. What I have found is that this:

Netstat -a was revealing an external IP with an established connection to
port 1035 with destination port of 6556. Netstat also showed IP's not
assigned to my DMZ source epmap sending syn_ack.....this continues for each
successive ip..


example:

Proto - TCP    local address: myserver:epmap    foreign address: 172.16.2.1
state - syn_ack sent

This would continue 172.16.2.2 etc etc.

I just used filtering , only allowing ports 21 on the advanced tcpip options
on the adapter and the activity stopped. Can anyone shed some light on this.
I've run virus scans, checked the registry etc and if there is a backdoor on
my system, I cannot find it.

Thanks

[ Post a follow-up to this message ]

Anything special in ftp directories ? weird files or special folder name ?
what about ftp log file ?

epmap is endpoint mapper for rpc I think. so not really ftp related. it's
more like worm or virus, etc. and it should be port 135.  Blaster worms and
its variants does something like this.

anyway, 172.16.x.x is a private address. it could be just normal rpc call
from the host. you might want to checkout what the host is doing.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



"DJ" <none@nospam.com> wrote in message
news:uu5JXYiFFHA.4052@TK2MSFTNGP14.phx.gbl...
> Hello:
>
> I've believe my FTP server has been compromised/backdoor  but am having
> trouble identifying the particulars. What I have found is that this:
>
> Netstat -a was revealing an external IP with an established connection to
> port 1035 with destination port of 6556. Netstat also showed IP's not
> assigned to my DMZ source epmap sending syn_ack.....this continues for
> each successive ip..
>
>
> example:
>
> Proto - TCP    local address: myserver:epmap    foreign address:
> 172.16.2.1 state - syn_ack sent
>
> This would continue 172.16.2.2 etc etc.
>
> I just used filtering , only allowing ports 21 on the advanced tcpip
> options on the adapter and the activity stopped. Can anyone shed some
> light on this. I've run virus scans, checked the registry etc and if there
> is a backdoor on my system, I cannot find it.
>
> Thanks
>
>
>

[ Post a follow-up to this message ]

Thanks...host definately not being used forhijacked ftp services...I was
leaning toward a wornm also but cannot find any trace. What concerned me
most was the established connection from outside to an internal port <not
ftp> which suggested perhaps a backdoor...but again, cannot find anything.
Thanks again for your input.
"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:uH3igQjFFHA.3504@TK2MSFTNGP12.phx.gbl...
> Anything special in ftp directories ? weird files or special folder name ?
> what about ftp log file ?
>
> epmap is endpoint mapper for rpc I think. so not really ftp related. it's
> more like worm or virus, etc. and it should be port 135.  Blaster worms
> and its variants does something like this.
>
> anyway, 172.16.x.x is a private address. it could be just normal rpc call
> from the host. you might want to checkout what the host is doing.
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "DJ" <none@nospam.com> wrote in message
> news:uu5JXYiFFHA.4052@TK2MSFTNGP14.phx.gbl... 
>
>

[ Post a follow-up to this message ]

I would start trying to trace your router table on why it is connecting to
the reserved prviate address range. Maybe it could lead you somewhere.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



"DJ" <none@nospam.com> wrote in message
news:u$95$cnFFHA.2876@TK2MSFTNGP12.phx.gbl...
> Thanks...host definately not being used forhijacked ftp services...I was
> leaning toward a wornm also but cannot find any trace. What concerned me
> most was the established connection from outside to an internal port <not
> ftp> which suggested perhaps a backdoor...but again, cannot find anything.
> Thanks again for your input.
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:uH3igQjFFHA.3504@TK2MSFTNGP12.phx.gbl... 
>
>

[ Post a follow-up to this message ]