Re: FTP Hacked - How does this happen?
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: Fri, 02 Jul 2004 20:35:58 GMT
On Fri, 2 Jul 2004 12:21:01 -0700, Milton F. Lopez <Milton F.
>My fully patched, firewall-enabled, VirusScan-and-PestPatrol running Windows 2003 was tagged twice this week. The tagger's directories were owned by the IUSR_ account, which has not write access to the ftproot folder.
>I found this link to a disturbing report about IIS6/ASP holes:
>I am no forensics expert, and have limited resources to explore this - in other words, the server is still running (so far the tagger hasn't come back).
>Any specific suggestion on what to look for would be much appreciated.
Well, if you have had the remote admin site on and the password has
changed, maybe the above would apply. More likely it's a simple case
of allowing anonymous access to write files, or a guessed password for
an account that can.