Re: HACKING Attempt on FTP Server

From: ComSec (comsec_at_operamail.com)
Date: 08/27/03

• Next message: sam: "how to deploy X509 certificates to 300 remote hosts?"
• Previous message: Walter Roberson: "Re: one time pads"
• In reply to: paul vudmaska: "HACKING Attempt on FTP Server"
• Next in thread: paul vudmaska: "Re: HACKING Attempt on FTP Server"
• Reply: paul vudmaska: "Re: HACKING Attempt on FTP Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 26 Aug 2003 20:55:05 -0700

paul@vudmaska.com (paul vudmaska) wrote in message news:<c02e4c1b.0308241028.34d20bfa@posting.google.com>...
> I've have the unsettling feeling that someone has infiltrated my
> Windows 2000 Server box. I'm fully patched and all but just some
> curious things are happening.
>
> For one: i get this message periodically in event viewer:
>
> FTP Server could not create a client worker thread for user at host
> 81.48.157.134. The connection to this user is terminated. The data
> is the error.
>
> With different ips. (a french location above) Not my own. None have
> access to my server. I hope. Does this mean that the user at that HAD
> access, or is this a popular scanning routine?
>
> Then when i go look in my ftp logs, i find that some of the days are
> missing. They are just not there. Maybe i just did not use ftp that
> day?

sounds like you might have been accessed by your logs being
deleted..if i were you i would scan for a trojan..and take steps to
remove it if found.

also change your password and install a anti hammer..blocks login
after 3-4-5 failed attempts if that was how they gained access...also
check your up to date with patches

check for any obscure files , folders, scripts etc

also from your logs data (from day 1 of suspected attack)... do a
search for files created on that date.

regards

C

--
http://www.how-to-hack.org

• Next message: sam: "how to deploy X509 certificates to 300 remote hosts?"
• Previous message: Walter Roberson: "Re: one time pads"
• In reply to: paul vudmaska: "HACKING Attempt on FTP Server"
• Next in thread: paul vudmaska: "Re: HACKING Attempt on FTP Server"
• Reply: paul vudmaska: "Re: HACKING Attempt on FTP Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Help with IPFW + NATD + Passive FTP ... passive FTP connections through IPFW with NATD enabled. ... $cmd 005 allow all from any to any via dc0 ... # Interface facing Public internet ... # Allow out access to my ISP's Domain name server. ... (freebsd-questions) RE: Client Computers cannot upload or download from Remote FTP ser ... SBS External NIC - Cannot FTP From this server ... SBS Internal NIC ... FTP server is Checked in Routing and Remote Access - Internet Connection - ... (microsoft.public.windows.server.sbs) RE: Client Computers cannot upload or download from Remote FTP ser ... Only FTP via the MS DOS FTP Client ... The server that works is a member of the SBS's Domain, BUT as I indicated, ... the router, not the SBS server. ... The client event log has nothing related logged. ... (microsoft.public.windows.server.sbs) Re: Is this a 3-Leg Perimeter scenario? ... Do you mean the FTP server is hosted on the ... to control the traffic to not go though ISA but go to SmoothWall directly. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Re: IIS 6.0 FTP ... That's the point I'm making--you are testing the wrong server. ... your FTP server is ftp.kilduff.com. ... than IIS? ... I understand your have the order entry program, ... (microsoft.public.inetserver.iis.ftp)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint