Although I can't say much for the "I have disabled anonymous ftp" part.. I can however tell you that this common and known as pubbing in the warez comunity. This activity depicts scanning a range of IPs for FTPs that allow anon login. This is, of course, assuming you have no services running that are easily exploitable. If you do, chances are greater that a root kit was used, which can be nasty depending on which one was used. ----- Original Message ----- From: <rbelchez@show-net.net> To: <incidentsat_private> Sent: Wednesday, February 12, 2003 8:20 PM Subject: ftp server compromised > > > Dear All, > > Pls advise..also apologize if this problem have already been posted here > before.) > > huge amount of compressed movies have been uploaded on our FTP server > w/out our consent. I tried to delete via windows explorer and DOS but the > system is just giving error and files cannot be deleted. > > Kindly please advise, how to manualy delete this files, and also to > protect our server from this to happen again. As per the IIS logs, he was > able to login via anonymous and uploaded files. I know I have disabled > the anonymous on the FTP but for some reason the hacker seems to have > workaround on this. (copied here is the server logs .. pls advise...) > > 00:35:41 (IP withheld) [49]USER anonymous 331 > 00:35:41 (IP withheld) [49]PASS anonymousat_private 230 > 00:36:39 (IP withheld)[50]USER anonymous 331 > 00:36:39 (IP withheld)[50]PASS anonymousat_private 230 > 00:36:44 (IP withheld)[50] > sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 > ,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550 > 00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226 > 00:36:59 (IP withheld)[51]USER anonymous 331 > 00:37:00 (IP withheld)[51]PASS anonymousat_private 230 > 00:39:10 (IP withheld)[50] > sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 > ,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550 > 00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226 > 00:51:49 (IP withheld)[49]closed - 421 > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 13 2003 - 10:07:50 PST