Security Incidents mailing list archives

Re: ftp server compromised

From: "Tibor Biro" <tiborbiro () rogers com>
Date: Wed, 12 Feb 2003 21:10:11 -0500

You should be able to delete some of those from the command prompt like
this:

rmdir \\.\c:\test\com1

or if there are spaces in the path:

rmdir "\\.\c:\test\    con2      "


Regards,
Tibor Biro
MCSE, MCDBA, MCSD


----- Original Message -----
From: <rbelchez () show-net net>
To: <incidents () securityfocus com>
Sent: Wednesday, February 12, 2003 8:20 PM
Subject: ftp server compromised



Dear All,

Pls advise..also apologize if this problem have already been posted here
before.)

huge amount of compressed movies have been uploaded on our FTP server
w/out our consent. I tried to delete via windows explorer and DOS but the
system is just giving error and files cannot be deleted.

Kindly please advise, how to manualy delete this files, and also to
protect our server from this to happen again. As per the IIS logs, he was
able to login via anonymous and uploaded files. I know I have disabled
the anonymous on the FTP but for some reason the hacker seems to have
workaround on this. (copied here is the server logs .. pls advise...)

00:35:41 (IP withheld) [49]USER anonymous 331
00:35:41 (IP withheld) [49]PASS anonymous () on the net 230
00:36:39 (IP withheld)[50]USER anonymous 331
00:36:39 (IP withheld)[50]PASS anonymous () on the net 230
00:36:44 (IP withheld)[50]
sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3
,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550
00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226
00:36:59 (IP withheld)[51]USER anonymous 331
00:37:00 (IP withheld)[51]PASS anonymous () on the net 230
00:39:10 (IP withheld)[50]
sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3
,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550
00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226
00:51:49 (IP withheld)[49]closed - 421



--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ftp server compromised rbelchez (Feb 12)
- RE: ftp server compromised Mark E. Donaldson (Feb 12)
  - RE: ftp server compromised Denis Dimick (Feb 13)
- Re: ftp server compromised Tibor Biro (Feb 12)
- Re: ftp server compromised David Hodges (Feb 12)
- Re: ftp server compromised psion (Feb 13)