Trojan on Platinum?

[mousepusher]

Trying to access my site via ftp, Norton Internet Security issued an alert that Sokets de Trois v1. Trojan horse virus was coming from my site knvsys.com(66.227.74.107)

Now I can't tell if my site is down because Norton is blocking the ip address. I haven't accessed my site via ftp for a while now so I don't think it was anything I have done...

Has anyone else seen this on Platinum or can tell me how this can happen?

Norton Alert:

Date: 5/19/2003 Time: 16:57:38
Rule "Default Block Sokets de Trois v1. Trojan horse" blocked (66.94.130.34,5001). Details:
Inbound TCP connection
Local address,service is (66.94.130.34,5001)
Remote address,service is (knvsys.com(66.227.74.107),ftp-data(20))
Process name is "N/A"

[Eric]

Are you trying to access your FTP via port 20? If so, you shouldn't be. You should be accessing FTP on port 21. From looking at your output, you are trying to access FTP on the wrong port.

[mousepusher]

That seems to have been the problem but I don't know how that setting got changed... I have been using WS-FTP for years and never touched the advanced settings. Anyway, I set it to port 21 and everything's fine now.

Thanks for pointing me in the right direction!

[Vin DSL]

Originally posted by mousepusher
That seems to have been the problem but I don't know how that setting got changed... I have been using WS-FTP for years and never touched the advanced settings. Anyway, I set it to port 21 and everything's fine now.

Thanks for pointing me in the right direction!

Hrm... let me throw a few ideas at you.

First of all, you should dump FTP. It is very insecure. It's going to bite you in the butt one of these days, and it looks like that day is coming very soon. My suggestion is to use WinSCP2 instead. Check out this thread:

SSH Revisited - Screw FTP - WinSCP Rules

I don't mean to alarm you, but as far as this trojan goes, it's probably hiding inside a picture or a graphic on your web site. That's one of the ways it propagates itself. As far as I know, it isn't optimized for Linux, but who knows? However, your site may be speading this trojan to Windows users, which, no doubt, you are using on your own PC.

XP machines get this all the time. It usually uses port 5000, which is the XP plug 'n' play port, but it also uses port 1, 20, 21 and others. The important thing is to rid yourself of it pronto.

'Soket de Troie' is a very advanced trojan with many nasty features. The name itself is a pun. It means 'Trojan of the socket.' The features include a domain scanner, finger, ICMP'er, ICQ stuff, IP converter, mail bomber, port bomber, port scanner, a search registry net, telnet, blah, blah, and blah...

To get help you rid of it, you might want to check out this link:

http://securityresponse.symantec.com...p.detroie.html

Good luck, bro! And, quit using FTP on JagPC...

EDIT: Here is the WinSCP2 link: http://winscp.vse.cz/eng/