Re: hacked and used for ftp site

From: carlomd (carlomd@netscape.net)
Date: 12/14/02 

From: "carlomd" <carlomd@netscape.net>
Date: Sat, 14 Dec 2002 11:35:25 -0800

Thanks, I managed to delete all the folders, but just
concerned about it happening again, didn't want to
reformat and reinstall, did you think those kind of hacks
are through IIS holes or possibly terminal server, or
some other way. Thanks again for replying

>-----Original Message-----
>Cool!
>
>Specifically, try:
>
>http://securityadmin.info/faq.htm#ftpfolder
>
>This should help you delete the folder. To try to find
the FTP software and
>the method of intrusion, check out:
>
>http://securityadmin.info/faq.htm#hacked
>http://securityadmin.info/faq.htm#iislogs2
>http://securityadmin.info/faq.htm#iislogs
>[for example, while MBSA is very helpful, running Vision
from
>www.foundstone.com/knowledge will tell you which ports
are open and which
>programs are keeping them open]
>
>Then, after you know how the hack occured, check out the
following to
>re-secure your computer.
>
>http://securityadmin.info/faq.htm#re-secure
>http://securityadmin.info/faq.htm#harden
>http://securityadmin.info/faq.htm#firewall
>http://securityadmin.info/resource.asp?category=IIS
>[start with http://www.microsoft.com/technet/security ,
including
>IISLockdown which includes URLScan which helps harden
IIS. Also consider
>the free file change checker at www.gfi.com]
>
>If IIS FTP is installed and was used on your computer,
you might have just
>been "hacked" by leaving anonymous FTP user with both
read and write
>permission to an FTP folder. This is not so bad and
might not require
>formatting. However, if the hackers installed their own
FTP software like
>Serv-U or were otherwise able to remotely run code on
your computer, that is
>disturbing. In either case, you can certainly choose to
try to secure the
>computer as best you can, but without formatting the
computer, you can't be
>100% sure that you've caught all the back doors that
could permit easy
>re-entry to your computer, sniff passwords and email
them to a hacker, etc.
>The choice is entirely up to you and your need for
security.
>
>I would also suggest that because this computer was not
fully secured, even
>if the attack here was "just" a problem with loose
anonymous FTP permissions
>and not remote command execution, it is certainly
possible, even likely that
>there were other vulnerabilities on the server which
might have caused your
>server to be hacked anytime this year without being
noticed.
>
>
>"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
>news:#kbwmE3oCHA.2000@TK2MSFTNGP12...
>> Try Karl's FAQ at
>>
>> http://securityadmin.info - plenty of information for
starters :)
>>
>> --
>> Svyatoslav Pidgorny, MS MVP, MCSE
>> -= F1 is the key =-
>>
>> "carlomd" <carlomd@netscape.net> wrote in message
>> news:00a401c2a2d7$0ffb9710$d5f82ecf@TK2MSFTNGXA12...
>> > Hi all, one of our dc's got hacked (looks like
through
>> > IIS) it's got a bunch of divx files, I've looked at
the
>> > web for some info, and most advices I saw was to
reformat
>> > the server & start clean, I'm trying to avoid this
(since
>> > it's a pain in the ***) is there any other way to
>> > tighten IIS and 2K without having to reformat, I
went &
>> > downloaded MBSA but it doesn't show me what open
ports I
>> > have. Thanks in advance
>>
>>
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system
(http://www.grisoft.com).
>Version: 6.0.423 / Virus Database: 238 - Release Date:
11/25/2002
>
>
>.
>

Loading