Re: hacked and used for ftp site

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 12/15/02 

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Sun, 15 Dec 2002 09:44:43 -0500

Well, you've got the knowledge to tell me, using the URLs I gave. If the
only FTP server found is IIS FTP on port TCP 21 and you left that running
yourself and the files were within your IIS FTP root, then my guess is the
hack was probably not involving remote execution of code. [However, it's a
good guess that you may have had other vulnerabilities that permit remotely
running code, and this doesn't prove or disprove whether you were hacked
using remote code execution some other time in the past.]

If you find Serv-U or any other FTP server or trojan running on any other
port, then a hacker probably remotely ran code on your computer. Normally
all they seem to do is just install the FTP server, but again there's no way
to know for sure.

"carlomd" <carlomd@netscape.net> wrote in message
news:00dc01c2a3a7$f30fa570$d4f82ecf@TK2MSFTNGXA11...
> Thanks, I managed to delete all the folders, but just
> concerned about it happening again, didn't want to
> reformat and reinstall, did you think those kind of hacks
> are through IIS holes or possibly terminal server, or
> some other way. Thanks again for replying
>
> >-----Original Message-----
> >Cool!
> >
> >Specifically, try:
> >
> >http://securityadmin.info/faq.htm#ftpfolder
> >
> >This should help you delete the folder. To try to find
> the FTP software and
> >the method of intrusion, check out:
> >
> >http://securityadmin.info/faq.htm#hacked
> >http://securityadmin.info/faq.htm#iislogs2
> >http://securityadmin.info/faq.htm#iislogs
> >[for example, while MBSA is very helpful, running Vision
> from
> >www.foundstone.com/knowledge will tell you which ports
> are open and which
> >programs are keeping them open]
> >
> >Then, after you know how the hack occured, check out the
> following to
> >re-secure your computer.
> >
> >http://securityadmin.info/faq.htm#re-secure
> >http://securityadmin.info/faq.htm#harden
> >http://securityadmin.info/faq.htm#firewall
> >http://securityadmin.info/resource.asp?category=IIS
> >[start with http://www.microsoft.com/technet/security ,
> including
> >IISLockdown which includes URLScan which helps harden
> IIS. Also consider
> >the free file change checker at www.gfi.com]
> >
> >If IIS FTP is installed and was used on your computer,
> you might have just
> >been "hacked" by leaving anonymous FTP user with both
> read and write
> >permission to an FTP folder. This is not so bad and
> might not require
> >formatting. However, if the hackers installed their own
> FTP software like
> >Serv-U or were otherwise able to remotely run code on
> your computer, that is
> >disturbing. In either case, you can certainly choose to
> try to secure the
> >computer as best you can, but without formatting the
> computer, you can't be
> >100% sure that you've caught all the back doors that
> could permit easy
> >re-entry to your computer, sniff passwords and email
> them to a hacker, etc.
> >The choice is entirely up to you and your need for
> security.
> >
> >I would also suggest that because this computer was not
> fully secured, even
> >if the attack here was "just" a problem with loose
> anonymous FTP permissions
> >and not remote command execution, it is certainly
> possible, even likely that
> >there were other vulnerabilities on the server which
> might have caused your
> >server to be hacked anytime this year without being
> noticed.
> >
> >
> >"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
> >news:#kbwmE3oCHA.2000@TK2MSFTNGP12...
> >> Try Karl's FAQ at
> >>
> >> http://securityadmin.info - plenty of information for
> starters :)
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP, MCSE
> >> -= F1 is the key =-
> >>
> >> "carlomd" <carlomd@netscape.net> wrote in message
> >> news:00a401c2a2d7$0ffb9710$d5f82ecf@TK2MSFTNGXA12...
> >> > Hi all, one of our dc's got hacked (looks like
> through
> >> > IIS) it's got a bunch of divx files, I've looked at
> the
> >> > web for some info, and most advices I saw was to
> reformat
> >> > the server & start clean, I'm trying to avoid this
> (since
> >> > it's a pain in the ***) is there any other way to
> >> > tighten IIS and 2K without having to reformat, I
> went &
> >> > downloaded MBSA but it doesn't show me what open
> ports I
> >> > have. Thanks in advance
> >>
> >>
> >
> >
> >---
> >Outgoing mail is certified Virus Free.
> >Checked by AVG anti-virus system
> (http://www.grisoft.com).
> >Version: 6.0.423 / Virus Database: 238 - Release Date:
> 11/25/2002
> >
> >
> >.
> > 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002