"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:uH3igQjFFHA.3504@TK2MSFTNGP12.phx.gbl...
> Anything special in ftp directories ? weird files or special folder name ?
> what about ftp log file ?
>
> epmap is endpoint mapper for rpc I think. so not really ftp related. it's
> more like worm or virus, etc. and it should be port 135. Blaster worms
> and its variants does something like this.
>
> anyway, 172.16.x.x is a private address. it could be just normal rpc call
> from the host. you might want to checkout what the host is doing.
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "DJ" <none@nospam.com> wrote in message
> news:uu5JXYiFFHA.4052@TK2MSFTNGP14.phx.gbl...
>> Hello:
>>
>> I've believe my FTP server has been compromised/backdoor but am having
>> trouble identifying the particulars. What I have found is that this:
>>
>> Netstat -a was revealing an external IP with an established connection to
>> port 1035 with destination port of 6556. Netstat also showed IP's not
>> assigned to my DMZ source epmap sending syn_ack.....this continues for
>> each successive ip..
>>
>>
>> example:
>>
>> Proto - TCP local address: myserver:epmap foreign address:
>> 172.16.2.1 state - syn_ack sent
>>
>> This would continue 172.16.2.2 etc etc.
>>
>> I just used filtering , only allowing ports 21 on the advanced tcpip
>> options on the adapter and the activity stopped. Can anyone shed some
>> light on this. I've run virus scans, checked the registry etc and if
>> there is a backdoor on my system, I cannot find it.
>>
>> Thanks
>>
>>
>>
>
>

"DJ" <none@nospam.com> wrote in message
news:uu5JXYiFFHA.4052@TK2MSFTNGP14.phx.gbl...
> Hello:
>
> I've believe my FTP server has been compromised/backdoor but am having
> trouble identifying the particulars. What I have found is that this:
>
> Netstat -a was revealing an external IP with an established connection to
> port 1035 with destination port of 6556. Netstat also showed IP's not
> assigned to my DMZ source epmap sending syn_ack.....this continues for
> each successive ip..
>
>
> example:
>
> Proto - TCP local address: myserver:epmap foreign address:
> 172.16.2.1 state - syn_ack sent
>
> This would continue 172.16.2.2 etc etc.
>
> I just used filtering , only allowing ports 21 on the advanced tcpip
> options on the adapter and the activity stopped. Can anyone shed some
> light on this. I've run virus scans, checked the registry etc and if there
> is a backdoor on my system, I cannot find it.
>
> Thanks
>
>
>

"DJ" <none@nospam.com> wrote in message
news:u$95$cnFFHA.2876@TK2MSFTNGP12.phx.gbl...
> Thanks...host definately not being used forhijacked ftp services...I was
> leaning toward a wornm also but cannot find any trace. What concerned me
> most was the established connection from outside to an internal port <not
> ftp> which suggested perhaps a backdoor...but again, cannot find anything.
> Thanks again for your input.
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:uH3igQjFFHA.3504@TK2MSFTNGP12.phx.gbl...
>> Anything special in ftp directories ? weird files or special folder name
>> ?
>> what about ftp log file ?
>>
>> epmap is endpoint mapper for rpc I think. so not really ftp related. it's
>> more like worm or virus, etc. and it should be port 135. Blaster worms
>> and its variants does something like this.
>>
>> anyway, 172.16.x.x is a private address. it could be just normal rpc call
>> from the host. you might want to checkout what the host is doing.
>>
>> --
>> Regards,
>> Bernard Cheah
>> http://www.tryiis.com/
>> http://support.microsoft.com/
>> http://www.msmvps.com/bernard/
>>
>>
>>
>> "DJ" <none@nospam.com> wrote in message
>> news:uu5JXYiFFHA.4052@TK2MSFTNGP14.phx.gbl...
>>> Hello:
>>>
>>> I've believe my FTP server has been compromised/backdoor but am having
>>> trouble identifying the particulars. What I have found is that this:
>>>
>>> Netstat -a was revealing an external IP with an established connection
>>> to port 1035 with destination port of 6556. Netstat also showed IP's not
>>> assigned to my DMZ source epmap sending syn_ack.....this continues for
>>> each successive ip..
>>>
>>>
>>> example:
>>>
>>> Proto - TCP local address: myserver:epmap foreign address:
>>> 172.16.2.1 state - syn_ack sent
>>>
>>> This would continue 172.16.2.2 etc etc.
>>>
>>> I just used filtering , only allowing ports 21 on the advanced tcpip
>>> options on the adapter and the activity stopped. Can anyone shed some
>>> light on this. I've run virus scans, checked the registry etc and if
>>> there is a backdoor on my system, I cannot find it.
>>>
>>> Thanks
>>>
>>>
>>>
>>
>>
>
>