Re: strange exploit in Win2K server

From: Ricardo Augusto (ricardo@ifx.com.br)
Date: 12/06/01

• Previous message: H C: "Re: strange exploit in Win2K server"
• In reply to: Dan Norton: "strange exploit in Win2K server"
• Next in thread: Obscure^: "RE: strange exploit in Win2K server"
• Reply: Obscure^: "RE: strange exploit in Win2K server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Ricardo Augusto" <ricardo@ifx.com.br>
To: <focus-ms@securityfocus.com>
Date: Thu, 6 Dec 2001 14:11:49 -0300

Maybe you left the anonymous ftp open with write permissions.

About the directory named com1 there's an article in Microsoft that explain how to erase (http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q120716).

Ricardo Augusto
SA (MCSE)
IFX Networks

----- Original Message -----
From: "Dan Norton" <dan@ware.net>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, December 05, 2001 11:56 PM
Subject: strange exploit in Win2K server

OK, I had just installed Win2K server with SP2 and all the hotfixes on a
server and given it a public IP. Terminal services was also installed.

Within a few days I noticed that outbound traffic from the server was
quite high so I fired up etherpeek and found that FTP was being used to
transfer MP3 files from the machine to an address on telia.com.

After pulling the network plug I checked out the hard drive. The
"groups" directory was 4 GB! In the folder for one of the websites,
there was a directory called "com1" which I was unable to open. When I
double clicked on the folder in explorer, the window froze. When I used
dos and tried to cd to the directory it returned an error of "the
parameter is incorrect."

I also noticed that my internet services control panel is now completely
missing.

What happened? Rather, how was this machine exploited so quickly and
with all the latest fixes?

It was running IIS5.

Dan Norton
Network Administrator

deveyn@aol.com

---

• Previous message: H C: "Re: strange exploit in Win2K server"
• In reply to: Dan Norton: "strange exploit in Win2K server"
• Next in thread: Obscure^: "RE: strange exploit in Win2K server"
• Reply: Obscure^: "RE: strange exploit in Win2K server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Win2k Server For Applications ... > I Recently Installed win2k Server on my secondary system, ... > to know how to have it run an application upon startup. ... (microsoft.public.win2000.general) Win2k Server For Applications ... I Recently Installed win2k Server on my secondary system, ... to know how to have it run an application upon startup. ... (microsoft.public.win2000.general) RE: strange exploit in Win2K server ... A default IIS install is enough to have let this happen ... ... strange exploit in Win2K server ... double clicked on the folder in explorer, ... the governing KPMG client engagement letter. ... (Focus-Microsoft) Re: About FTP Permission problem !!! ... > This setting in my Win2k Server is not work! ... since you still having this prob and you claimed you have followed>> every single step in the kb, I suggest you remove all ftp sites and> folders. ... >> -Add the user who will use that folder, and give that user Full Control ... >> Then test it at localhost - ftp localhost ... (microsoft.public.inetserver.iis.security) Folder Permissions ... I have a Win2k Server that we store all of our projects ... permissions set throughout. ... creates a new folder, ... secretary that runs this .bat file and maintains the ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2001-12