Re: FTP files dissappearing!!

From: x y, mvp (levinson_k@despammed.com)
Date: 04/05/03

• Next message: x y, mvp: "Re: Attachment problems with Outlook express"
• Previous message: Jim Lowry: "Re: Unable to use Localhost"
• In reply to: BB: "Re: FTP files dissappearing!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "x y, mvp" <levinson_k@despammed.com>
Date: Sat, 5 Apr 2003 08:46:58 -0500

I don't see any reason why you couldn't also easily enable a free sniffer to
see who is doing this:

http://securityadmin.info/faq.htm#sniffer

Additionally, you should be able to enable FTP logging and logging on your
firewall and router. Synchronizing the time on your FTP server and firewall
and then correlating the two logs may help you determine which IP address is
being used to delete the files. Windows auditing is a good idea too for
general security, though both the Windows auditing logs and FTP logs might
not help much if you're allowing anonymous FTP, hence the reason for adding
in the router or firewall logs, though if your FTP server is used by many
users at once, that can make the log entries a little tricky to correlate.

http://securityadmin.info/faq.htm#auditing

And perhaps you should be removing the Delete permission from these files?
You can set this even on newly uploaded / created files using a batch file
or script that runs CACLS or XCACLS every 10 minutes if necessary.

"BB" <Bernard_at_3exp.com> wrote in message
news:e6KRqZ2#CHA.2820@TK2MSFTNGP11.phx.gbl...
> Try enable auditing on login and file access,
> Refer
> http://support.microsoft.com/?id=186374
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
>
>
> "Mukando" <mukando@hotmail.com> wrote in message
> news:004201c2fb45$875931c0$3401280a@phx.gbl...
> > This one is very complex. In short, files are being
> > deleted from the FTP server, but there is no way to find
> > out who is doing it without a packet analyzer. The server
> > is running NT4 with all the latest patches, but for some
> > reason someone is deleting files of the server in one
> > particular folder which is an FTP folder. Any thoughts?
>
>

---

• Next message: x y, mvp: "Re: Attachment problems with Outlook express"
• Previous message: Jim Lowry: "Re: Unable to use Localhost"
• In reply to: BB: "Re: FTP files dissappearing!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: odd proftpd activity ... Possible security hole. ... reason you're running an ftp server? ... Unless you're running an anon FTP ... Is there any particular reason you need to run your own DNS? ... (comp.os.linux.security) Re: data transfer ... Check your logs manually or download one of the many trialware log analyzers ... guessed somebody was using your FTP server (check your FTP default ... >> Are you sure you want the ftp server service running on your SBS???? ... (microsoft.public.windows.server.sbs) [Full-disclosure] Ipswitch FTP XSS leads to FTP server compromise ... Ipswitch FTP XSS leads to FTP server compromise. ... There is XSS vulnerability when the WS_FTP server logs client FTP ... We've created a little PoC that will create a new system administrator ... (Full-Disclosure) Re: is someone hacking me? ... > I am getting tons of these in my logs. ... I take it you have your FTP service running. ... If you are not intentionally running an FTP server, ... wuftpd PID and probably need edit your /etc/xinetd.d/wuftpd or ... (comp.os.linux.security) Re: ftp server setup ... I think the reason is my zonealarm is blocking access to my port 21. ... I open my open 21 so that my ftp server service can work? ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)