Re: W2k Server going crazy!!! Nic saturating my entire network!

From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 02/16/03 

From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com>
Date: Sun, 16 Feb 2003 08:07:38 -0500

I agree... on the one hand, if the "compromise" was just done because the
anonymous FTP user had both read and write permission to a given folder,
then that isn't necessarily always worthy of formatting and reinstalling...
however, that is definitely the safe thing to do, especially since a
computer with a big hole like this probably has other holes as well.

Before you format, you really should investigate to see how the compromise
happened so you can prevent it from happening again and see if other
computers were also compromised. Formatting and reinstalling doesn't help
you if you make the same mistake in the next install.

See here for things you should consider doing:

http://securityadmin.info/faq.htm#hacked [how to look for signs that you've
been seriously hacked, and how it happened]
http://securityadmin.info/faq.htm#ftpfolder [more info on this particular
type of FTP attack]
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden [how to harden your computer]

"Mike" <mjl000@hotmail.com.nospam> wrote in message
news:Zfq3a.413$bM.201@newssvr16.news.prodigy.com...
> Interesting development.
>
> Your system has obviously been compromised. Disconnect the NIC's physical
> connection to the switches for this server from the network and isolate
the
> problem - systematically approach the problem with logical steps.
>
> Setup a temporary packet filter for FTP on your external address/WAN side
NIC -
> this will block all incoming packets for FTP or alternately only allow the
ports
> you know that are needed for appropriate public access to your server.
>
> Try looking at symbolic links and partitions mounted to a directory and
non
> standard permissions on such.
>
> There was possibly a registry change which may prevent you from
> changing/deleting
> the suspected resources.
>
> Run appropriate scanners for viruses/trojans/worms/embedded scripts.
>
> Check the Microsoft knowledgbase, security page and the Technet security
page.
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
defa
> ult.asp
> http://www.microsoft.com/security/
> http://support.microsoft.com/default.aspx?scid=fh;EN-US;KBHOWTO
>
>
> "Dan Laue" <dan@onestopcollect.com> wrote in message
> news:073801c2d477$d569c270$a001280a@phx.gbl...
> I found the problem the network is exploited they are
> gaining acces thru ftp and using our server to share all
> kinds od files found steven segal movies dubbed in another
> language and all kind of other content but when i try to
> delete the files it tells me the path is unreachable and
> crashes the explorer window microsoft we need help?
>
> anyone with questions please call me at 909-349-0311 ext
> 357
>
> >-----Original Message-----
> >When I turn this server on, 2-12 hours later, it starts
> this nic stuff that
> >kills my entire network!
> >I mean it saturates my lan 100% constantly with multicast
> or broadcast or
> >whatever.
> >
> >I have switches, so the symptom is that all activity
> lights come on on all
> >used ports, like a
> >multicast or broadcast.
> >
> >I've changed nics, to no avail. I've reinstalled the nic
> drivers. Tried
> >reinstalling the tcp/network layers
> >all with no results.
> >
> >I am seriously looking at infection/virus, although none
> are reported by
> >NetShield.
> >
> >Anyone have a clue as to what to even look at?
> >
> >
> >.
> >
>
>
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003

Relevant Pages

  • Re: FTP on IIS
    ... Use a *nix ftp server. ... I see more IIS servers ... A compromise of one is the compromise of the other. ...
    (Focus-Microsoft)
  • Re: Trivial FTP access
    ... I think it is a watered down version of FTP. ... > they try to access it Kerio Personal Firewall blocks them but, ... Transfer Protocol' (TFTP, which is designed to transfer files over UDP ... and begin the process of examining the system for compromise. ...
    (comp.security.firewalls)
  • Help with IPFW + NATD + Passive FTP
    ... passive FTP connections through IPFW with NATD enabled. ... $cmd 005 allow all from any to any via dc0 ... # Interface facing Public internet ... # Allow out access to my ISP's Domain name server. ...
    (freebsd-questions)
  • RE: Client Computers cannot upload or download from Remote FTP ser
    ... SBS External NIC - Cannot FTP From this server ... SBS Internal NIC ... FTP server is Checked in Routing and Remote Access - Internet Connection - ...
    (microsoft.public.windows.server.sbs)
  • Re: FTP PUT with Store Unique
    ... The best list for topics related to the Communications Server IP ... command or vice versa. ... Instructs the FTP client not to include a name with the STOU ... -- If NONAME is in effect, no name string specifying a foreign_file value follows ...
    (bit.listserv.ibm-main)
Quantcast