Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

40,000+ ftp attempts lastnight

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

40,000+ ftp attempts lastnight

Old 07-22-04, 10:17 PM
  #1  
DVD Talk God
Thread Starter
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
Likes: 0
Received 0 Likes on 0 Posts
40,000+ ftp attempts lastnight

so.. we have some network issues today
and tracked it down to a computer that attempted 40,000 ftp connections during the hours of midnight lastnight until around noon today... pretty random addresses that its hitting

odd thing was.. when i got on the computer.. there was nothing in the registry set to run, nothing in the startup of course..
no odd processes running
updated antivirus didnt catch anything
adaware didnt catch anything

and noone was using the computer during that timespan
Old 07-22-04, 10:51 PM
  #2  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
just some guesses but take into acount that I haven't read up on hacking or security in a while
someone hacked in and was running stuff remotely and shut it down before you got to the computer
someon ran a program before leaving that was set to run for a set amount of time then close itself down, possibly erasing its traces too when it quit
Old 07-23-04, 08:43 AM
  #3  
DVD Talk God
Thread Starter
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by mikehunt
just some guesses but take into acount that I haven't read up on hacking or security in a while
someone hacked in and was running stuff remotely and shut it down before you got to the computer
someon ran a program before leaving that was set to run for a set amount of time then close itself down, possibly erasing its traces too when it quit
but the odd part.. when i went over and rebooted the machine and brought it up offline.. I thoroughly checked all processes running on the machine.. and still nothing out of the ordinary

I plugged back to the network to monitor

and within about 3 minutes.. it was causing the entire network to slow down again.
might be unrelated.. but it started causing the nw issues right about the time that yahoo launched..
Old 07-23-04, 10:27 AM
  #4  
DVD Talk Legend
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by twikoff
I plugged back to the network to monitor

and within about 3 minutes.. it was causing the entire network to slow down again.
The most likely culprit is a hard-to-nail trojan. They're getting really hard to pick off, for some reason; either black-hats are getting more skillful, or antivirus companies are slacking off. How loaded/customized is the software base on that machine? - could you vape the OS and reinstall without too much trouble?

I guess there's an off-chance it might be a hardware failure - your network card may be flooding your net with junk packets or something. Do you know for certain that it's all on FTP (port 21)?

- David Stein
Old 07-23-04, 10:29 AM
  #5  
Moderator
 
Groucho's Avatar
 
Join Date: Mar 2000
Location: Salt Lake City, Utah
Posts: 70,875
Likes: 0
Received 0 Likes on 0 Posts
40,000 ftp attempts? That's what the regulars in "Adult Talk" consider a light evening.
Old 07-23-04, 12:06 PM
  #6  
DVD Talk God
Thread Starter
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by sfsdfd
The most likely culprit is a hard-to-nail trojan. They're getting really hard to pick off, for some reason; either black-hats are getting more skillful, or antivirus companies are slacking off. How loaded/customized is the software base on that machine? - could you vape the OS and reinstall without too much trouble?

I guess there's an off-chance it might be a hardware failure - your network card may be flooding your net with junk packets or something. Do you know for certain that it's all on FTP (port 21)?

- David Stein
its actually this person's second machine, just used for running large queries and crap.. so it wouldnt be a big deal to just reimage it and forget about it.. but she is away on vacation.. so we cant do that yet.. just in case there is anything she needs to copy..
that makes it pretty lucky..
but still pretty odd that I cant find any trace of it at all

I havent seen the logs.. i was working with my boss, who is in charge of the network side.. and he said they were all ftp attempts..

really, it wasnt a speed issue.. but we limit 50,000 connections on our firewall.. so it causes a problem when this one computer was using 40,000+ of them
Old 07-23-04, 01:28 PM
  #7  
DVD Talk Special Edition
 
Join Date: Dec 2001
Location: U.S.A.
Posts: 1,439
Likes: 0
Received 0 Likes on 0 Posts
It is possible to write programs (Windows services I believe) that are very stealth in nature, IE do not show up in task lists, are not found in "run" registry entries, or the startup folder(s). I thought about writing one once just to see how it worked but never had the time. Good luck getting to the bottom of your problem, let us know what you find out

-Gunshy
Old 07-23-04, 01:41 PM
  #8  
DVD Talk Hero
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,855
Likes: 0
Received 2 Likes on 2 Posts
Originally posted by Gunshy
It is possible to write programs (Windows services I believe) that are very stealth in nature, IE do not show up in task lists, are not found in "run" registry entries, or the startup folder(s). I thought about writing one once just to see how it worked but never had the time. Good luck getting to the bottom of your problem, let us know what you find out

-Gunshy
Likewise, it is quite common to replace normal processes with a Trojaned process of the same name. As such, a task manager review would reveal nothing suspicious.

Have you looked to see what ports are listening on the box and used a tool like `fport` to ID the processes that control them?

Obviously, the system needs to be unplugged from the network for the tim e being and personally I would be somewhat reluctant to allow the user to retrieve files off of it when she gets back without being extremely careful. For me, I would want to know the cause, even if I could not ID the exact details. She probably downloaded something or visited a compromised website with unpatched IE. Either way, I would be pouring through logs looking for the genesis.

Last edited by jfoobar; 07-23-04 at 01:44 PM.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.