Re: FTP Hacked - How does this happen?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/02/04

  • Next message: David Wang [Msft]: "Re: Remote application lunch and terminate (IIS server)"
    Date: Fri, 02 Jul 2004 20:35:58 GMT
    
    

    On Fri, 2 Jul 2004 12:21:01 -0700, Milton F. Lopez <Milton F.
    Lopez@discussions.microsoft.com> wrote:

    >My fully patched, firewall-enabled, VirusScan-and-PestPatrol running Windows 2003 was tagged twice this week. The tagger's directories were owned by the IUSR_ account, which has not write access to the ftproot folder.
    >I found this link to a disturbing report about IIS6/ASP holes:
    >http://xforce.iss.net/xforce/xfdb/12687
    >I am no forensics expert, and have limited resources to explore this - in other words, the server is still running (so far the tagger hasn't come back).
    >Any specific suggestion on what to look for would be much appreciated.

    Well, if you have had the remote admin site on and the password has
    changed, maybe the above would apply. More likely it's a simple case
    of allowing anonymous access to write files, or a guessed password for
    an account that can.

    Jeff


  • Next message: David Wang [Msft]: "Re: Remote application lunch and terminate (IIS server)"

    Relevant Pages

    • Re: SBS 08, Event ID 2436 Windows SharePoint Services 3 Search
      ... the authentication way is set as Basic or the service account ... Suggestion 1: Disable the loopback check as below KB article. ... Windows SharePoint Services Search ... My logs show SQL ...
      (microsoft.public.windows.server.sbs)
    • Re: Referal Links
      ... the source of such interference Meena's suggestion might help ... > Go to Start/Run and type in: regsvr32 urlmon.dll. ... > IE/Tools/Internet Options/Programs/Reset Web Settings. ... Thanks Jeff ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: 3x Branch Office - Only 1 Domain
      ... suggestion. ... Regards ... > Mike E. wrote: ... >> identity and at present we are using POP, I have the POP account ...
      (microsoft.public.windows.server.sbs)
    • Re: error # 0x800a0046
      ... # The user logon account belongs to the Guests or Limited account groups. ... # The security descriptor does not let authenticated users run Windows ... Resolution Suggestion One: ... Please change your Internet Explorer security settings ...
      (microsoft.public.windowsupdate)
    • Re: Repeated Account lookout!
      ... To help try and track down where the account is getting locked out use ... Use the built in search AccountLockouts and search in the ... Paul Bergson ... Any suggestion to capture the source which is sending the BAD password is ...
      (microsoft.public.windows.server.active_directory)