Re: Hackers Tag FTP Server; Can't Erase Folders, Files

From: Pamela Fong (fong@caltech.edu)
Date: 09/13/02 

From: "Pamela Fong" <fong@caltech.edu>
Date: Fri, 13 Sep 2002 09:44:30 -0700

Thanks to those who responded to me in person. Quite
inspiring to see such spirit. This Microsoft article
summarizes the responses sent to me.

http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q320081

I'll have to track down a copy of the subinacl utility.
Seems like I must have a case of the "Combo of Causes"
situation. I understand now the suggestion of limiting
folders from being created via ftp. This prevents the
problem of too long path or filenames problem. Folders
are such useful things to separate the inputs of our
various collaborators, but if this will thwart the hacker
scripts, we will give a shot at that.

Thank you all!
---Pam

>-----Original Message-----
FYI - once you've rebuilt the server, I would suggest the
>following:
>
>1. Create an NT "User" account for ftp use only.
>2. Choose a drive that you can lockdown (at the drive
>root)to maintain your ftp files - . Ensure Admins and
>Domain Admins (if you're on a network) have full access
and
>EVERYONE [full access] is changed to EVERYONE [read]
>3. Create a directory for ftp - apply NTFS permissions
> - admins [full access],
> - domain admins [full access],
> - the ftp user you created. Right click the folder, go
>to the security tab, select the ftp user account, select
>the "advanced" button. On the "permissions" tab, again
>select the ftp user account, then select the "View/Edit"
>button. Ensure the account only has those permissions it
>needs (i.e. do NOT allow it to create folders, change
>attributes, etc.).
>4. Now - TEST, TEST, TEST. Ensure that you cannot login
>with a different account, the "correct" account cannot
>create folders (only files), etc.
>5. Watch your ftp logs - any IP attempting to hack in
>should be added to the "deny access" list in the IIS
>Console. Caveat - you're probably better off setting up an
>"allow access" list either through IIS or a firewall
>(preferred) since the deny list is going to grow rapidly.
>
>ok - that's my free advice for the day. good luck and
>ALWAYS review you logs each day unless you really don't
>care if someone is trying to hack your environment....
>
>- shadowchimera
>
>btw - i don't take responsiblity for any of this. it is a
>microsoft platform afterall :)
>
>
>>-----Original Message-----
>>>Our anonymous ftp dropbox running on W2K Pro keeps
getting
>>>tagged by hackers.
>>
>>Kinda think you'd learn after the first half-dozen times
>or so... :)
>>
>>>There is one folder, however, that I cannot seem to
delete
>>>at all with DOS or POSIX tools. When I try to delete
it,
>>>it says I don't have access. In Windows, it doesn't
have
>>>a Security tag. And I'm unable to take ownership of it
>>>via taking ownership of the containing folder and
>>>propagating it down to child contents.
>>
>>>Any suggestions how to delete this item, and how to
>>>prevent future such difficult to delete items from
being
>>>deposited?
>>
>>Wipe the system and reinstall may be your only option,
and
>it's not a
>>bad one. Why do you allow anonymous users the right to
>create folders
>>anyway? And are you sure you haven't been compromised in
>other ways?
>>
>>Jeff
>>.
>>
>.
>