Re: ftp server compromised
From: Tibor Biro (tiborbiro@rogers.com)
Date: 02/13/03
- Previous message: Mark E. Donaldson: "RE: ftp server compromised"
- In reply to: rbelchez@show-net.net: "ftp server compromised"
- Next in thread: David Hodges: "Re: ftp server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Tibor Biro" <tiborbiro@rogers.com> To: <rbelchez@show-net.net>, <incidents@securityfocus.com> Date: Wed, 12 Feb 2003 21:10:11 -0500
You should be able to delete some of those from the command prompt like
this:
rmdir \\.\c:\test\com1
or if there are spaces in the path:
rmdir "\\.\c:\test\ con2 "
Regards,
Tibor Biro
MCSE, MCDBA, MCSD
----- Original Message -----
From: <rbelchez@show-net.net>
To: <incidents@securityfocus.com>
Sent: Wednesday, February 12, 2003 8:20 PM
Subject: ftp server compromised
>
>
> Dear All,
>
> Pls advise..also apologize if this problem have already been posted here
> before.)
>
> huge amount of compressed movies have been uploaded on our FTP server
> w/out our consent. I tried to delete via windows explorer and DOS but the
> system is just giving error and files cannot be deleted.
>
> Kindly please advise, how to manualy delete this files, and also to
> protect our server from this to happen again. As per the IIS logs, he was
> able to login via anonymous and uploaded files. I know I have disabled
> the anonymous on the FTP but for some reason the hacker seems to have
> workaround on this. (copied here is the server logs .. pls advise...)
>
> 00:35:41 (IP withheld) [49]USER anonymous 331
> 00:35:41 (IP withheld) [49]PASS anonymous@on.the.net 230
> 00:36:39 (IP withheld)[50]USER anonymous 331
> 00:36:39 (IP withheld)[50]PASS anonymous@on.the.net 230
> 00:36:44 (IP withheld)[50]
> sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3
> ,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550
> 00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226
> 00:36:59 (IP withheld)[51]USER anonymous 331
> 00:37:00 (IP withheld)[51]PASS anonymous@on.the.net 230
> 00:39:10 (IP withheld)[50]
> sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3
> ,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550
> 00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226
> 00:51:49 (IP withheld)[49]closed - 421
>
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: David Hodges: "Re: ftp server compromised"
- Previous message: Mark E. Donaldson: "RE: ftp server compromised"
- In reply to: rbelchez@show-net.net: "ftp server compromised"
- Next in thread: David Hodges: "Re: ftp server compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
