Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MS IIS 5 server is hacked leaving undeletable folders and files

From: "Jimmy Sansi" <jsansi () ritzfoodservice com>
Date: Thu, 2 Jan 2003 10:06:19 -0800
It seems you have found out the problems with running an
'open' FTP server. It sounds like you may be running FAT instead
of NTFS, which would not be recomended especially for a machine
accessible to the outside world.

I would suggest that you set the permissions on the FTP directories
and remove anonymous access, or use a different account name
for anonymous type logons. Going a step further you could create
a virtual directory(use a unique name, 'incoming' or 'upload' are
to easily guessed) for uploading files. Its not 100%, but
the slight inconvienence would save you from trivial exploits.

Cheers,
-Jimmy


-----Original Message-----
From: Don Phillipe [mailto:donphillipe () hotmail com]
Sent: Tuesday, December 31, 2002 11:44 AM
To: security-basics () securityfocus com
Subject: MS IIS 5 server is hacked leaving undeletable folders and files


I have a small server I use for my home business and use it mainly for
anyone who needs to send a large file that will not go through email.  I
have an anonymous UPLOAD FTP account that I open up to receive these.  From
time to time I forget and leave this open (I know this is stupid but I
thought I could just erase anything that was put there because the small
drive would fill up real soon).  However, I see someone has hacked into my
server and put a bunch of trash that I cannot delete because when I try to
delete it, Windows 2K says "cannot find the specified file".   I have spent
2 days researching this and cannot find any reference of how to correct
this.   I did find some reference to looking at the security tab for these
files but the security tab is missing!  I found some tools which are
supposed to set owners for files and they don't work on these files.   Here
is the log from where the hacker attacked below.  Any help would be
appreciated.  I don't want to have to rebuild my server if possible:



#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

#Date: 2002-12-30 06:38:21

#Fields: time c-ip cs-method cs-uri-stem sc-status

06:38:21 80.11.214.63 [1]USER anonymous 331

06:38:21 80.11.214.63 [1]PASS anonymous () on the net 230

06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
d%D+/divx/rpc-acb.043 550

06:54:31 80.11.214.63 [1]created rpc-acb.043 226

06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
d%D+/divx/rpc-acb.044 550

07:10:38 80.11.214.63 [1]created rpc-acb.044 226
Previous By Date Next
Previous By Thread Next

Current thread: