This happened to us through a carelessly-left-open anonymous account. From your logs, it looks like the same m.o. as the ones who got us. We closed the account and shutdown ftp for a few days, which stopped the activity. I was able to delete the files by using DOS (i.e. cmd.exe) and using the 8.3 filenames, not the long filenames (try DIR/X to see the short filenames. ). You can use DEL/S to delete a folder at a time. David Hodges Outermost Software At 01:20 AM 2/13/2003 +0000, rbelchez@show-net.net wrote: >Dear All, > >Pls advise..also apologize if this problem have already been posted here >before.) > >huge amount of compressed movies have been uploaded on our FTP server >w/out our consent. I tried to delete via windows explorer and DOS but the >system is just giving error and files cannot be deleted. > >Kindly please advise, how to manualy delete this files, and also to >protect our server from this to happen again. As per the IIS logs, he was >able to login via anonymous and uploaded files. I know I have disabled >the anonymous on the FTP but for some reason the hacker seems to have >workaround on this. (copied here is the server logs .. pls advise...) > >00:35:41 (IP withheld) [49]USER anonymous 331 >00:35:41 (IP withheld) [49]PASS anonymousat_private 230 >00:36:39 (IP withheld)[50]USER anonymous 331 >00:36:39 (IP withheld)[50]PASS anonymousat_private 230 >00:36:44 (IP withheld)[50] >sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 >,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550 >00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226 >00:36:59 (IP withheld)[51]USER anonymous 331 >00:37:00 (IP withheld)[51]PASS anonymousat_private 230 >00:39:10 (IP withheld)[50] >sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 >,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550 >00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226 >00:51:49 (IP withheld)[49]closed - 421 > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 21:18:56 PST