Security Incidents mailing list archives
Re: ftp server compromised
From: David Hodges <dhodges () outermost com>
Date: Wed, 12 Feb 2003 22:33:18 -0500
This happened to us through a carelessly-left-open anonymous account. From your logs, it looks like the same m.o. as the ones who got us. We closed the account and shutdown ftp for a few days, which stopped the activity.
I was able to delete the files by using DOS (i.e. cmd.exe) and using the 8.3 filenames, not the long filenames (try DIR/X to see the short filenames. ). You can use DEL/S to delete a folder at a time.
David Hodges Outermost Software At 01:20 AM 2/13/2003 +0000, rbelchez () show-net net wrote:
Dear All, Pls advise..also apologize if this problem have already been posted here before.) huge amount of compressed movies have been uploaded on our FTP server w/out our consent. I tried to delete via windows explorer and DOS but the system is just giving error and files cannot be deleted. Kindly please advise, how to manualy delete this files, and also to protect our server from this to happen again. As per the IIS logs, he was able to login via anonymous and uploaded files. I know I have disabled the anonymous on the FTP but for some reason the hacker seems to have workaround on this. (copied here is the server logs .. pls advise...) 00:35:41 (IP withheld) [49]USER anonymous 331 00:35:41 (IP withheld) [49]PASS anonymous () on the net 230 00:36:39 (IP withheld)[50]USER anonymous 331 00:36:39 (IP withheld)[50]PASS anonymous () on the net 230 00:36:44 (IP withheld)[50] sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 ,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550 00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226 00:36:59 (IP withheld)[51]USER anonymous 331 00:37:00 (IP withheld)[51]PASS anonymous () on the net 230 00:39:10 (IP withheld)[50] sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 ,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550 00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226 00:51:49 (IP withheld)[49]closed - 421 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ftp server compromised rbelchez (Feb 12)
- RE: ftp server compromised Mark E. Donaldson (Feb 12)
- RE: ftp server compromised Denis Dimick (Feb 13)
- Re: ftp server compromised Tibor Biro (Feb 12)
- Re: ftp server compromised David Hodges (Feb 12)
- Re: ftp server compromised psion (Feb 13)
- RE: ftp server compromised Mark E. Donaldson (Feb 12)