Fair warning.

[g33k0x42]

Sygate Log.
Seems my Services.exe seems to have your very questionable Server attached to it.

I place the blame for this entirely in your hands.
Especially considering I have never (and will never) even consider using FileZilla.


------------------------------------------------

File Version : 0.9.23.0
File Description : Windows Services Control (services.exe)
File Path : c:\WINDOWS\system32\drivers\services.exe
Process ID : 0x3E8 (Heximal) 1000 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.2.11
Local Port : 4048
Remote Name : ip.filezilla-project.org
Remote Address : 82.96.98.58
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 00-13-a3-34-dc-07
Source: 00-18-f3-53-1f-da
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x689f (Correct)
Source: 192.168.2.11
Destination: 82.96.98.58
Transmission Control Protocol (TCP)
Source port: 4048
Destination port: 80
Sequence number: 1880395583
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x6d01 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 13 A3 34 DC 07 00 18 : F3 53 1F DA 08 00 45 00 | ...4.....S....E.
0010: 00 30 24 12 40 00 40 06 : 9F 68 C0 A8 02 0B 52 60 | .0$.@.@..h....R`
0020: 62 3A 0F D0 00 50 70 14 : 8F 3F 00 00 00 00 70 02 | b:...Pp..?....p.
0030: FA F0 01 6D 00 00 02 04 : 05 B4 01 01 04 02 7A 69 | ...m..........zi
0040: 6C 6C 61 2D 70 72 6F 6A : 65 63 74 03 | lla-project.

[botg]

Looks like your box got cracked. Please format your drives and reinstall everything from a clean installation CD and do not connect to the network before you have installed all available updated.

[g33k0x42]

Doubtful.
What bothers me is why your software isn't detected by my anti-virus software. I'll be sending a copy of the file, log, and additional notes out to a few shortly though

[botg]

What bothers me is why your software isn't detected by my anti-virus software.

Why should it? Let me ask you this in return: Does your virus scanner detect Internet Explorer? After all you can do lots of mischief using Internet Explorer.

[hotdog003]

I agree. Filezilla is a generic FTP server. Thousands of organizations legitimately use it.

Imagine this scenario: You have your box at home. While you walk away for a couple minutes to get a drink, a malicious nerd walks up and installs an FTP server (in this case, Filezilla) on your machine so he can get to your files later. Was that the makers of the FTP server's fault? Or was it the fault of the person who installed it?

FileZilla is not a cracking tool. Just as OpenSSH is not a cracking tool, but it can be used as such without adequate security. Just as the Windows RDP server that ships with WinXP professional is not a cracking tool, but if it is not secured properly, it can be used maliciously.

I would suggest installing a firewall that blocks incoming connections if you are that concerned about it. Not only will your uninvited FileZilla guest be blocked, but other threats won't be dangerous either. That way, even if your box does become compromised again, then hackers won't be able to log in so it won't do any damage.

[botg]

Instead of installing a useless firewall, you should go read a couple of books on how computers work.

[hotdog003]

Botg, you're saying that a firewall wouldn't do any good at all? How come?

My logic is that sure, FileZilla server would still exist on his system, but nobody would be able to connect to it (thanks to the firewall) and thus it wouldn't do any damage.

[botg]

There are so many different ways of possible information flow. For example one can easily tunnel arbitary traffic through DNS requests, or simply invoking other programs which are whitelisted in the firewall (Internet Explorer? Firefox? Or whatever the browser is)

The _ONLY_ way to secure a system with a firewall is a whitelist approach which blocks all traffic in any direction on a packet level except to a very tiny set of ultimately trusted hosts.


Just look at the evolution of malware. In the past we had simple trojans, with the more publicly known ones being trojans like BackOrifice, Subseven or Netbus which just listened on some incoming port.
And now we have things like the infamous Storm worm. Fully encrypted, P2P based traffic, fully decentralized. This is a direct result on the typical user machine getting more 'secure'. Note that in most cases, infection is the direct result of a stupid user and not to some other security vulnerability.

Oh, free pr0n in my inbox, I so much need to open this executable *unzips his fly*

For the future, I can very much imagine malware that actively exploits firewalls without compromising the firewall.
- Computer A contacts computer B
- B's firewall blogs this
- Malware on B sees that there was a connection attempt from A
- Repeat this in a special rythm

Result: Arbitrary data exchange through a fully working firewall. Security gain through firewall: NONE.

[GenniferFlowers]

FIREWALLS ONLY EXIST FOR THOSE WHO CANNOT CROSS TO THE OTHER SIDE!