Re: IIS web server hacked..any tips?

[Tim Igoe <tim () igoe me uk>]

Francesco wrote:

> I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
> and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP is
> additionally protected by authentication.
>
> Yesterday someone managed to access the server and dump 8GB of DVD files
> into a deeply nested folder in a backup directory, for sharing I
> presume.  The payload folder was NOT within the available folders given
> access to FTP users.  Someone was able to "see" the entire D drive and
> figure out a hidden enough location at their whimsy.
>
> I thought the server was fairly well locked down, but apparently not.
> What is the usual method of intrusion for "warez" attacks like these?
>
> Francesco
>  
I can't really give a lot of help here, but a few days ago a friend 
noticed his (Win2k) IIS FTP had been used for a warez dump too, I 
couldn't work out how however, using the anonymous (which is disabled) 
username in the logs. The folder that was used, I couldn't get into 
using an FTP client nor could he access directly from the box. It had a 
name of nothing, in the logs showing as /+/

Again, it seemed to be uploading warez, didn't see any downloading in 
the logs however.

We've managed to delete it now, and shut the FTP off but I've no idea 
how the attacker got in, would like to find out myself

Windows was fully up to date, this some un-known security hole?

Tim