beemerboy

Just got this message from Tinyfirewall on my home PC

"Someone from cmbg-3e352206.pool.mediaWays.net [62.53.34.6], port 3175 wants to connect to port 21 owned by 'SERVUDAEMON.EXE' on your computer"

Is there anyway i can find out this persons home address and go round there with a pickaxe handle???

BB
...or floodping his IP??

SJ_Skyline

run shadow security scanner across 62.53.34.6





port 21 is FTP and SSH

[Edited by SJ_Skyline - 8/22/2003 12:37:10 PM]

chiark

Are you aware that you've installed Serv-u FTP on your machine?

Because if you haven't, something has...

Boro

iTrader: (1)

Its good that your firewall has picked up on this BUT making your ports "stealthy" is your best bet.

Boro

iTrader: (1)

You might want to run these simple tests to see which other ports are open/closed/stealthy.

https://grc.com/x/ne.dll?bh0bkyd2

Half way down Shields UP!! Services

CLICK "All Service Ports"

Let me know how you get on

chockymonster

But don't believe any of the sh1te about nanoprobe technology that GRC sprouts, it's a great site to check your open ports, but dire for valid technical information (IMO of course)

Boro

iTrader: (1)

Extract from www.grc.com after scanning port 21:-

Port 21

Name:
ftp

Purpose:
File Transfer Protocol (Control Channel)

Description:
File Transfer Protocol (FTP) is one of the oldest Internet protocols. FTP servers open their machine's port 21 and listen for incoming client connections. FTP clients connect to port 21 of remote FTP servers to initiate file transfer operations.

Since there's much more to FTP protocol than this, see the discussion below for the details.

Related Ports:
20




Background and Additional Information:


An important word about FTP security and privacy

It has been said that any "open FTP server" will be found and quickly scrutinized by Internet hackers within a very short time of its appearance on the Internet. Hackers love open FTP servers that will anonymously accept files which are then available to others without any oversight by the FTP server's administration. Such "file drop boxes" quickly become loaded with illicit software and other potentially troublesome files, and are used as anonymous file exchange points. Not only can such unattended use be a huge consumer of your network's bandwidth, but you might find yourself explaining your apparent "hosting" of illegal, copyrighted, or otherwise distasteful files to governing authorities.
If you must run an FTP server for anonymous file acceptance, be sure to create a separate "incoming" directory for the receipt of submitted files. Make certain that that the contents of that incoming directory are not available for outgoing download without the explicit movement of the file into an outgoing directory.

If our analysis has shown that your FTP service port is open, you will definitely want to take some action (if this is not what you intend). As you can see from the list of known FTP-port Trojans at the end of this page, some nasty malware might be responsible for surreptitiously opening this port on your system. Or, if you are deliberately operating an FTP server, you will want to be certain that you are willing to accept the management responsibility that comes with offering such a public server to the Internet. It's not for everyone.

About the FTP protocol

FTP protocol uses two connections in parallel — one for command and control, and a second channel for data transport. Unless another port is specified, FTP servers listen for clients to connect on their port 21. The use of non-default FTP server ports is more common than for other protocols due to the historic trouble with malicious hackers searching for FTP servers on port 21. You may hear a computer savvy user say "I have an FTP server running on port 60" (or anything else). This might be done to avoid a port collision with another FTP server already running on the default port. But it is more likely being done to keep the real FTP server away from a highly targeted and often searched for port.

After initiating the connection, the client instructs the server whether it desires to establish an "active" or "passive" FTP session. This determines the direction of the secondary "FTP data" connection:

Active FTP

Active FTP is the traditional default which is generally used by full FTP client programs. Active FTP uses a "reverse data channel" that can cause problems when operating behind some older firewalls and NAT routers, though modern products have generally become "FTP aware". By comparison, passive FTP (see next section) is primarily used by web browsers and can be more firewall and NAT router friendly.

As we saw above, FTP sessions are initiated by an FTP client's connection to port 21 of any FTP server. This establishes the "forward" command and control channel. An active FTP client next opens a listening port on its machine, informs the remote FTP server of this port number, and requests the remote FTP server to connect from its port 20 back to the client on the port it has specified. This establishes the "reverse data channel" for transporting data.

Since many firewalls and NAT routers automatically block incoming connections to their protected client machines, the need to establish this second "reverse data channel" can cause trouble. Although passive FTP was created to overcome these problems, most modern firewalls and NAT routers have become "FTP aware". They monitor the outgoing control channel, interpret the client's request to the remote server, and open an incoming port back through the router to the client machine. Active FTP clients can thereby operate behind FTP aware firewalls and NAT routers without trouble.

Passive FTP

Passive FTP protocol was created to overcome the firewall and router problems associated with active FTP's need to establish a reverse data channel back from the server to the client. Passive FTP operates just like active FTP except that both the initial control channel (to the server's default port 21) and the data channel (to the server's default port 20) are initiated by the client and received and accepted by the server. Passive FTP is generally used by web browsers and can sometimes be requested as an optional mode from full FTP clients. Because passive FTP does not use a "reverse data channel" approach, it is often more friendly to firewalls and NAT routers, though most modern NAT routers are now "FTP aware".

The FTP RFC (the complete specification)

The specification of every nuance and detail of the FTP protocol, as written by the people who invented it, may be found here:

http://www.ietf.org/rfc/rfc959.txt

http://www.faqs.org/rfcs/rfc959.html

Trojan Sightings: Back Construction, Blade Runner, Cattivik FTP Server, CC Invader, Dark FTP, Doly Trojan, Fore, FreddyK, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, Ramen, RTB 666, Senna Spy FTP server, The Flu, Traitor 21, WebEx, WinCrash

Chocky, its been a while since ive looked at the Shields Up Test, but it a million times more informative than it used to be.




[Edited by Boro - 8/22/2003 2:59:43 PM]

beemerboy

thanks guys, will portscan....

i did install serv-u to test for work app

just uninstalled it now....

lock these b4stards out is the best tactic.

cheers again, safe computing!!!

Dazza

chiark

also, bear in mind it might be someone who's machine has been compromised and is being controlled by a worm themselves... hence tracking the culprit down is nigh-on impossible.

Just keep security up to date and you're laughing