Re: FTP Hacked - Can't Delete Files as Admin

From: Alun Jones [MS] (alunj_at_online.microsoft.com)
Date: 06/10/04

  • Next message: JB: "Syslog Tool" 
    Date: Thu, 10 Jun 2004 09:05:39 -0700

    "FreeWilly" <spamthehellouttameplease@thankyou.com> wrote in message
    news:40c86d93$0$15833$39cecf19@news.twtelecom.net...
    > You shouldn't even bother. Build another server. Take this one offline,
    > put it into a segregated test lab, and learn what was done to compromise
    > your security.

    If it's like the vast majority of other cases of "tagging", as it's known,
    nothing was done to compromise his security, except allowing anonymous users
    the ability to upload and download.

    If you're sufficiently interested to see it happen for yourself, set up a
    'sacrificial' FTP server, and you'll find that people will occasionally
    connect to it as the 'anonymous' guest account, and try to create
    directories and transfer files. If you let them do that, they'll come back
    later and start filling your disk with all the stolen software, obscene
    images and pirated movies you might want. And they do it in such a way that
    it is difficult to delete the files. They'll use directory and file names
    that look very much like device names to most file access commands.

    But all they are doing is uploading and downloading files. They aren't
    affecting system configuration in any way. They aren't usurping any
    privileges that haven't already been given to them.

    So, the process to use is simple:
    1. Disable anonymous access to your machine while you clean it up - when you
    re-enable anonymous access, make sure that the IUSR_<machinename> account is
    given no write access to the directory tree that it logs into. Create a
    separate account for uploading (if you really need the general public to
    upload), and manually move uploaded files into a download area once you have
    checked that they are appropriate.
    2. Check your logs to find out who uploaded those files. Report these
    incursions to the ISP responsible for those addresses. Who knows, if they
    get kicked off enough systems, they may well learn that open access does not
    equal permission.
    3. Delete the files - apart from the suggestions in KB article 811176, you
    might also try doing the simple step of using the same tool the attacker
    did. Choose your favourite graphical FTP client - graphical, because you
    don't want to have to try and type the file names - and navigate your own
    FTP server, deleting files and folders as you go. [This will require an
    account that has write privileges]

    This isn't a typical "I've been hacked" incursion - no attacker code has
    been run (at least, not from the description given), no security settings
    have been altered by the attacker. They're just taking advantage of the
    fact that some / most file system tools refuse to work on certain file
    names.

    While I would agree in the case of a virus or worm attack, or some other
    exploit that allows execution of attacker code, a reformat or thorough
    forensic investigation might be warranted, this is just a case of uploads
    being carried out using names that are difficult to replicate in a "del"
    command. As such, deleting all files that were uploaded will remove all
    unnecessary elements of _this_ attack. [I underline "this", because I have
    no way of knowing whether other attacks have happened against this system.]

    A quick look at www.securityfocus.com, to pick a random vulnerability
    database, suggests that you'd have to go back to 1999, to IIS 3, to find a
    case of code execution through the IIS FTP server.

    Alun.
    ~~~~

  • Next message: JB: "Syslog Tool"

    Relevant Pages

    • [UNIX] phpTopsites Remote File Upload Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... phpTopsites is a Server Side ... This file is supposed to be for the administrator's usage, i.e. to upload ... First of all the attacker needs to find the website's path, ...
      (Securiteam)
    • [NT] Multiple Vulnerabilities in WWW Fileshare Pro
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Share Pro that allow an attacker to write arbitrary files, ... server, ... The program has an option enabled by default that lets people to upload ...
      (Securiteam)
    • Re: Document library upload authentication problem
      ... authenticate with 'Integrated Windows authentication' and your domain ... as authentication method at the web server. ... > cannot upload a document. ... >>My account has administrator privileges and I am the site ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: deny ftp downloading
      ... > account can only postbut not download. ... Currently, I have the server ... It seems that with ntfs read rights, they can download ... Is there a way to allow them to upload but not download from the ...
      (microsoft.public.win2000.general)
    • deny ftp downloading
      ... I am wanting to setup my ftp server in such a way as that a particular ... account can only postbut not download. ... It seems that with ntfs read rights, they can download ... Is there a way to allow them to upload but not download from the ...
      (microsoft.public.inetserver.iis.ftp)