Re: FTP Hacked - How does this happen?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/02/04

  • Next message: David Wang [Msft]: "Re: Remote application lunch and terminate (IIS server)"
    Date: Fri, 02 Jul 2004 20:35:58 GMT
    
    

    On Fri, 2 Jul 2004 12:21:01 -0700, Milton F. Lopez <Milton F.
    Lopez@discussions.microsoft.com> wrote:

    >My fully patched, firewall-enabled, VirusScan-and-PestPatrol running Windows 2003 was tagged twice this week. The tagger's directories were owned by the IUSR_ account, which has not write access to the ftproot folder.
    >I found this link to a disturbing report about IIS6/ASP holes:
    >http://xforce.iss.net/xforce/xfdb/12687
    >I am no forensics expert, and have limited resources to explore this - in other words, the server is still running (so far the tagger hasn't come back).
    >Any specific suggestion on what to look for would be much appreciated.

    Well, if you have had the remote admin site on and the password has
    changed, maybe the above would apply. More likely it's a simple case
    of allowing anonymous access to write files, or a guessed password for
    an account that can.

    Jeff


  • Next message: David Wang [Msft]: "Re: Remote application lunch and terminate (IIS server)"