Also, If you can stop using FTP.. If your not supporting anonymous access then use SCP or ANYTHING.. -Denis On Wed, 12 Feb 2003, Mark E. Donaldson wrote: > IIS FTP compromise is actually quite a common and frequent problem. You > basically have three problems to deal with here: > > 1) Until you pull the network connection wire, you will make no progress. > That is step one. > > 2) These files and directories are normally not easy to delete. You will > see some advice and references that state they can be successfully removed > with "POSIX Compliant Tools". And yes, sometimes they are successful. > However, I recommend you put the money out and buy a copy of WinHex. It > will never fail. Follow these instructions: "Search for all occurrences of > the filenames you need to dispose of using Search | Find Text, in Unicode, > and replace all of them with any other filename. Schedule CHKDSK to run on > that partition at next reboot. Reboot the machine. CHKDSK will then delete > the files and restore the disk space back to free space. > > 3) Chances of identifying and eliminating all the hacked files is very slim > at this point in time is very slim. Consider reformatting and re-installing > from last know good (uncompromised) backup. > > Good luck. This is a tough spot to be in. > > -----Original Message----- > From: rbelchez@show-net.net [mailto:rbelchez@show-net.net] > Sent: Wednesday, February 12, 2003 5:21 PM > To: incidentsat_private > Subject: ftp server compromised > > > > > Dear All, > > Pls advise..also apologize if this problem have already been posted here > before.) > > huge amount of compressed movies have been uploaded on our FTP server > w/out our consent. I tried to delete via windows explorer and DOS but the > system is just giving error and files cannot be deleted. > > Kindly please advise, how to manualy delete this files, and also to > protect our server from this to happen again. As per the IIS logs, he was > able to login via anonymous and uploaded files. I know I have disabled > the anonymous on the FTP but for some reason the hacker seems to have > workaround on this. (copied here is the server logs .. pls advise...) > > 00:35:41 (IP withheld) [49]USER anonymous 331 > 00:35:41 (IP withheld) [49]PASS anonymousat_private 230 > 00:36:39 (IP withheld)[50]USER anonymous 331 > 00:36:39 (IP withheld)[50]PASS anonymousat_private 230 > 00:36:44 (IP withheld)[50] > sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 > ,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550 > 00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226 > 00:36:59 (IP withheld)[51]USER anonymous 331 > 00:37:00 (IP withheld)[51]PASS anonymousat_private 230 > 00:39:10 (IP withheld)[50] > sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 > ,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550 > 00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226 > 00:51:49 (IP withheld)[49]closed - 421 > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 13 2003 - 10:01:26 PST