FTP produces Port Scanning

[rowanco]

Hi, I suspect that my machine has been hacked somehow. I am running a SYGATE firewall along with NAV (which has found nothing).

Every time I use an FTP protocol (I have a few programs, though mainly I use SMART FTP), including the DOS based FTP program, the SYGATE firewall goes crazy with port scan attacks. As well it always usully associates them with the file: ndisuio.sys (and also sometimes with svchost.exe).

I am thinking that somehow these files have been hacked with a trojan or something which calls out whenever an FTP transfer occurs (or something like that).

One solution may be to overwrite them with clean copies (where I get a clean copy I don't know)...

Can anybody shed some light on this, or any similar experiences...

Thanks.

 

[pansophic]

What is the actual indication? A port scan could be lots of things, but since this happens every time you use FTP, not just with one FTP client, I would be suspicious of the firewall application. It could be that you are starting a passive ftp session (PASV) and that the two machines are attempting to make a connection on a high port (1024 or higher).

I would probably not use (and I definitely would not recommend) a firewall application that was written by someone who is not familiar with the PASV ftp protocol.

The fact that NAV has not found anything doesn't necessarily mean anything. We have found it painfully simple to bypass antivirus detection of trojan applications.

If you really suspect that your machine has been compromised, you may want to do some more detailed research.

If you want to double check your anti-virus software, go to:

http://housecall.antivirus.com/

it is a free anti-virus scan that is always current because it is downloaded over the net.

pansophic

 

[rowanco]

Hi, thanks for your response, the indication are SYGATE's pop up warnings which occurr repeatedly during FTP transfer, and the port scans are also logged in the logs.

The thing is, it didn't happen originally, and I assume that the SYGATE firewall considers PSV mode, but I will try that download you mentioned (even though NAV should update its definitions), but I am really curious why the files:

ndisuio.sys and also sometimes with svchost.exe are reported as being involved (according to the SYGATE firewall).

Thanks.

 

[torquemonster]

Just as an FYI (assuming that you're running a Windows machine)...

I can think of a couple of pieces of software that may be able to help you:

ZoneAlarm is a software-based "firewall" app that lets you know when any other application is trying to access the internet. You can find it at

http://www.zonelabs.com.

PC Magazine regularly offers free utilities for download, and one of them might shed some light upon what ndisuio.sys & svchost.exe are doing. Go to either pcmag.com or zdnet.com, look for the free "utilities" download section & search for OpenTrap. I haven't used it myself (I'm not a programmer), but the program description says that it lists what files/DLLs an application references as it runs. I'd be quite surprised if it didn't allow you to log what it does, & once you do that, all that's left is to trace it back to see what starts the process. You'll likely need to register to get to the downloads area, but they've got some really good stuff there, so IMHO it's probably worth it (not that I'd give 'em *true* information...).

Anyway, that's probably how I'd approach it...

Oh, one other thing - both of these utilities are freeware!

Hope this helps ya!

T.
(If you want to get really medieval on it, you could download the Windows version of Ethereal & sniff all of the packets going back & forth, but that may be going a little far for your tastes...)

 

[tangram]

svchost.exe is often used as a host for viral worms, W32/CodeBlue being one example, where your 'port scanning' can be attributed to the virus doing it's thing.

First thing I would suggest; scan your machine online from...

<

http://www.symantec.com/cgi-bin/securitycheck.cgi>

(Norton AV) which should determine if your machine is infected or not. I've never used it and found a virus on my machine so I'm not sure, but I don't think the online service as described will clean your machine. For that you will need to acquire a full AV package. The NORTON AV software isn't the quickest I've come across, but it is without doubt an exceptionably good tool to have installed on your machine, always assuming you keep it up to date. If your machine is infected, then read the instructions for removal of the virus on the Norton site. You don't mention which operating system you're using, but should you have to delete svchost.exe from your machine because it's a trojan, then a fresh copy will be available on your original install disks/cd-rom.

The good news is that Sygate is without doubt one of the best software Firewall available at the moment. It's obviously doing it's job given that it has demonstrated to you that there is a problem and has blocked the unauthorised traffic. Given that Sygate is obviously working perfectly, I'm not sure why torquemonster should suggest installing ZoneAlarm. However he's absolutely correct that ZoneAlarm is free for personal use (as is Sygate) and is also an excelent utility. If you would like to try it, don't forget to uninstall Sygate first. Best of luck.

 

[PcLinuxGuru]

It isn't a port scan per say. Your FTP client is trying to use passive mode and well that is how it does it. It basically port scans itself and sends the info to the ftp server. Visit

http://www.pcbench.homelinux.net:81/

 

[p01nt]

I am a network engineer and Trainer for a large computer company that relies heavily on a large frame-relay/ATM BGP/EIGRP internetwork WITH connections to the Internet. I am also an MCSE/CCNP/CCDP: just qualifyin' myself for y'all =) . Although I understand that svchost.exe and ndisuio.sys are regular files that will be communicating internally to the computer, I've use the Sygate personal firewall edition for around 4 days now to test it out and found some interesting results. Look at this before you go poking holes in your firewall for these services:

This is what I've recorded in the traffic log just today:

Blocked TCP Incoming 24.187.54.139 4175 192.168.1.100 27374 C:\WINDOWS\System32\DRIVERS\ndisuio.sys

Blocked UDP Incoming 208.179.178.252 34684 192.168.1.100 137 C:\WINDOWS\System32DRIVERS\ndisuio.sys

Blocked UDP Incoming 200.106.13.59 26829 192.168.1.100 137
C:\WINDOWS\System32\DRIVERS\ndisuio.sys

Blocked TCP Incoming 24.54.247.145 3750 192.168.1.100 445 C:\WINDOWS\System32\DRIVERS\ndisuio.sys

There are four samples of unsolicited incoming messages. The second and third are destined to my NETBIOS Name Service port (137). The first one is sourced from and destined to arbitrary ports, like maybe someones trojan app or something that I may have unwittingly downloaded....dunno. The last one is very interesting in that it's interested in connecting with my Microsoft-DS service. Here's a quote about what that is:

&quot;Sending malformed packets to the microsoft-ds port (TCP 445) can result in kernel ressources being allocated by the LANMAN service. The consequences of such an attack could vary from the Windows 2000 host completely ignoring the attack to a blue screen.&quot;

The quote is from:
cert.uni-stuttgart.de/archive/bugtraq/2002/04/msg00225.html

This is simply an attempt to either randomly attack a system or to specifically gain access to or attack my computer. Notice also that the second block statement contains a 200.x.y.z source address. The entire
200.0.0.0 - 200.255.255.255 CIDR (Classless InterDomain Routing) network block has been geographically assigned to Central and South America. I don't know anybody there, and I don't believe that Internet backbone pipes there are large enough for me to go gaming there too often. These are random pokes at my system. Granted that this computer is in my DMZ at home, however I still am amazed by the number of attempts on my system. I've only shown you 4 of around 100 of these messages just today 06/30/2003. Let me know what y'all think.

 

[rowanco]

Hi All, that's some great info, I still never figured out what was happening exactly, my level of knowledge doesn't quite run that deep.

I can see there is a use for an app that can more closely inspect your in/outbound packets and tell what they can mean, if they are malicious, passive, stadard, etc.. maybe an enhancement to current firewall apps...

Hi p01nt, those are some interseting findings you have discovered, is that just the level of 'background' scanning that is part of the everyday net traffic now?

 

[p01nt]

sup rowanco!

Yeah, from what I've seen this is a daily thing. I've had my main computer set up in the DMZ without any firewall protection mainly so I could connect to my computer from work using XPs remote desktop application. Being bare to the world may have made my computer vunerable the to people simply wanting to make a netbios connection to me and pull off some files. I've tried to be so egocentric as to think that any of my files on my computer are THAT important that everybody wants to break into my computer. However I became directly interested in my own protection when I heard that the RIAA is targeting file sharing for suit against them for copyright infringement. If anybody has purchased applications and keeps them on their hard drive and they are unwittingly being uploaded by another user, it is possible that the person being uploaded from may become a target for a lawsuit. The best quote I've seen from another website is this: You wouldn't leave your house unlocked all the time, so why would you leave your computer unlocked all the time? Even though my computer is not that important, there might be files that someone might want, and while unprotected they might be able to upload them without my knowing it.
Mostly what I see is 1 to 3 packets attempting to contact my NetBIOS port 137. Ports 137, 138, and 139 are NetBIOS ports that windows uses to identify computer names within a workgroup or domain. Since I am behind a NAT router, my computer does not have a public IP address. There is no way for a hacker to see the private address on my computer, so if they request a send for my computer's name they would be able to bypass the whole thing and connect based on NetBIOS information. That's what I see mostly.
Two other common things that I see are one of my ISPs DNS servers attempting to request a DNS name from me (don't know why but it's innocuous), and one of my other computers attempting to make a file peer sharing connection to a remote destination over the same port each time. I believe that the computer who is trying to send out is because of some software I installed for peer file transfer. I have yet to find and clean the registry entry for this and get rid of whatever app is attempting this. Other than that, I've been port scanned a couple of times, which is simply an attempt to see if I've got any ports open, and a couple of SQL slammer attacks which don't do any good because I'm not using that database app.
At first I thought that I was being hit hard because I was open to the world, but it hasn't really appeared to slow down any.
If you see any weird traffic on your firewall that appears to repeat, write a rule for it and have it log it to your packet log. That way you can see what the user is attempting to do. Of course you'd have to gain some knowledge of what different codes mean and have a knowledge of converting hex to decimal. Since that's part of my job, it makes easier for me to come home and take a quick gander at the days events on my home PC. If you've got any other questions I'll be more than glad to respond to the best of my ability.

 

[rowanco]

You have some interesting thoughts, I've suspected something like what you are saying concerning the RIAA would evenutally start happening. As technologies improve, the big corps will start to use their abilities more and more to muscle into what is currently a relativelly 'FREE' environment.

I'm surprised you take the chance at operating without a firewall, I feel naked without one, purely for the reason that I don't know what can happen to an exposed connection. I've always assumed that if you don't have a firewall, then your computer is wide open to being taken over and exploited (although any purpose for that is probably dependant on your connection speed).

Still, you're obviously way ahead of me regarding the understanding of the technical issues, so thanks for the info p01nt!

Cheers.

 

[MacGyver71]

I just wanted to let you know that I had the same phenomenon occurring on my system. I am running XP, Sygate, Norton, Spybot and I use various GRC utilities to ensure that my entire system is locked. However, I still saw what appeared to be an extensive amount of traffic coming over Sygate, specifically the &quot;C:\Windows\System32\Drivers\step.sys&quot; & &quot;C:\Windows\System32\Drivers\step.sys&quot; paths. Like you, I was concerned, to the point that I spoke with my ISP (Charter.net) and determined that it was nothing more that normal (in fact, necessary) network handshaking. In order for a network connection to be maintained, a constant communication must exist. This was something that I was already aware of, but it simply seemed as though there was TOO MUCH TRAFFIC. The network engineer that I spoke with confirmed that the IP addresses that the traffic was coming from were theirs... even though the source IP seemed to change every time. In other words, don't worry about it. Hope this helps.

Later,
Mac