dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
824

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates

Premium Member

The Case of the Unexplained FTP Connections

Russinovich
quote:
The case opened when a network administrator at a South African company contacted Microsoft Services Premier Support and reported that their corporate Exchange server, running on Windows Server 2008 R2, appeared to be making outbound FTP connections. They noticed this only because the company’s installation of Microsoft Forefront Endpoint Protection (FEP) alerted them that it had cleaned a piece of malware it found on the server. Concerned that their network might still be compromised despite the fact that FEP claimed the system was malware-free, he examined the company’s perimeter firewall logs. To his horror, he discovered FTP connections that numbered in the hundreds per day and dated back several weeks. Instead of attempting a forensic examination on his own, he called on Microsoft’s security consulting team, which specializes in helping customers clean up after an attack.

Cthen
Premium Member
join:2004-08-01
Detroit, MI

Cthen

Premium Member

Nothing really new.

Doofis admin installed something on the server and didn't bother to even set a log in or password putting everything back online. What did they think was going to happen?

Despite that I do find it odd that another admin scanned everything with the tools provided by Microsoft and it all came up clean. He calls a guy from Microsoft who some how has tools to detect even more stuff? Why is that? Why are the tools that are given to the admins not good enough for a clean up?

I smell a scam!

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

said by Cthen:

Despite that I do find it odd that another admin scanned everything with the tools provided by Microsoft and it all came up clean. He calls a guy from Microsoft who some how has tools to detect even more stuff? Why is that? Why are the tools that are given to the admins not good enough for a clean up?

This point, why is the download of Process Monitor I just downloaded any different to the engineers version? It seems to be doing everything explained in the article?

But why would the engineers not have better tools? Even some beta testers would adjust programs during testing; so why wouldn't a mainline tool have a few extra tweaks? 1 such "tweak" usually is some form of diagnostic debug, the general public doesn't see these add-ons/plug-ins unless a programmer wants to offer it out. But I'm sure the Process Monitor I just downloaded looked similar enough I could track the conversation and open the same gui windows.....all without the command line required - and who knows what tweaks / tools are at the command line that the gui doesn't show.

Never give out all your secrets.

StuartMW
Premium Member
join:2000-08-06

1 edit

1 recommendation

StuartMW

Premium Member

said by norwegian:

This point, why is the download of Process Monitor I just downloaded any different to the engineers version?

I doubt it is. The SysInternals (part of Microsoft for quite a while now) tools are updated about once a month. I suspect the Microsoft tech(s) had the latest while the admin didn't. Even worse is that many have never heard of them.

BTW I'm surprised the article didn't mention TCPView.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

That was what I was getting at....the version I downloaded showed basically the same info though to show the admin should have seen more with the fully public version - and yes, the Microsoft engineer would have extra goodies at his disposal - that's why you call them in.

TCPView is a great tool - they all are, all of them, and have come a long way since the partnership was formed.

StuartMW
Premium Member
join:2000-08-06

StuartMW to norwegian

Premium Member

to norwegian
said by norwegian:

...and who knows what tweaks / tools are at the command line that the gui doesn't show.

Not hard to find out. Use the SysInternal's Strings tool to dump the EXE to a text file. Find the known command line switches and you might find unpublished ones nearby.

I've done this many times to find (secret) registry settings etc.

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

1 recommendation

stormbow to goalieskates

Premium Member

to goalieskates
By the way, the ftp server in the article is still active and the username/password still work.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member


You're kidding surely.....I'm a little hesitant to try.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

No. And don't call him "Surely"

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

stormbow to norwegian

Premium Member

to norwegian
said by norwegian:

You're kidding surely.....I'm a little hesitant to try.

I connected using my Linux server and downloaded a bunch of EXEs.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member


You almost have to ask the question then....."who's the admin?"
Wouldn't the Microsoft tech have offered some support.....no trolling intended.
norwegian

norwegian to StuartMW

Premium Member

to StuartMW
said by StuartMW:

Not hard to find out. Use the SysInternal's Strings tool to dump the EXE to a text file. Find the known command line switches and you might find unpublished ones nearby.

I've not played with this tool outside of the gui of process explorer etc, might be worth looking at.
Thanks