Re: ftp server compromised

From: Tibor Biro (tiborbiroat_private)
Date: Wed Feb 12 2003 - 18:10:11 PST

Next message: David Hodges: "Re: ftp server compromised"

Previous message: Mark E. Donaldson: "RE: ftp server compromised"
In reply to: rbelchez@show-net.net: "ftp server compromised"
Next in thread: David Hodges: "Re: ftp server compromised"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You should be able to delete some of those from the command prompt like
this:

rmdir \\.\c:\test\com1

or if there are spaces in the path:

rmdir "\\.\c:\test\    con2      "


Regards,
Tibor Biro
MCSE, MCDBA, MCSD


----- Original Message -----
From: <rbelchez@show-net.net>
To: <incidentsat_private>
Sent: Wednesday, February 12, 2003 8:20 PM
Subject: ftp server compromised


>
>
> Dear All,
>
> Pls advise..also apologize if this problem have already been posted here
> before.)
>
> huge amount of compressed movies have been uploaded on our FTP server
> w/out our consent. I tried to delete via windows explorer and DOS but the
> system is just giving error and files cannot be deleted.
>
> Kindly please advise, how to manualy delete this files, and also to
> protect our server from this to happen again. As per the IIS logs, he was
> able to login via anonymous and uploaded files. I know I have disabled
> the anonymous on the FTP but for some reason the hacker seems to have
> workaround on this. (copied here is the server logs .. pls advise...)
>
> 00:35:41 (IP withheld) [49]USER anonymous 331
> 00:35:41 (IP withheld) [49]PASS anonymousat_private 230
> 00:36:39 (IP withheld)[50]USER anonymous 331
> 00:36:39 (IP withheld)[50]PASS anonymousat_private 230
> 00:36:44 (IP withheld)[50]
> sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3
> ,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550
> 00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226
> 00:36:59 (IP withheld)[51]USER anonymous 331
> 00:37:00 (IP withheld)[51]PASS anonymousat_private 230
> 00:39:10 (IP withheld)[50]
> sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3
> ,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550
> 00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226
> 00:51:49 (IP withheld)[49]closed - 421
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: David Hodges: "Re: ftp server compromised"
Previous message: Mark E. Donaldson: "RE: ftp server compromised"
In reply to: rbelchez@show-net.net: "ftp server compromised"
Next in thread: David Hodges: "Re: ftp server compromised"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 21:12:25 PST