FTP Client Initiated from an SMTP Server

high Nessus Network Monitor Plugin ID 6246

Synopsis

The remote SMTP server has just been observed initiating an FTP outbound session and retrieving a file.

Description

The remote SMTP server has just been observed initiating an FTP outbound session and retrieving a file. This may be an indicator that the system has been compromised and attackers are now retrieving files to the local server.

Solution

Disable the SMTP service if it is not required. Additionally, the observed behavior is indicative of a system compromise.

Plugin Details

Severity: High

ID: 6246

Family: Backdoors

Published: 1/6/2012

Updated: 12/6/2016