RE: Server Hacked - Assessment and Prevention

From: john d (johnd_at_discussions.microsoft.com)
Date: 05/18/05


Date: Wed, 18 May 2005 09:50:54 -0700

This machine was/is 100% patched.

Also, the ftp.scr script simply contained the following line:
get wget.exe

Also, on the one machine, although FTP is enabled, Allow Anonymous is not.
The other machine does not have FTP running at all.

Reformatting is not an option right now.

I've looked for the following:
- Any weird programs installed - none
- Any new directories - none
- Any weird user accounts - none
- Any weird ports connected - none

I have also since changed the local administrator password.

My assumption is that the system account was compromised. If it was, how
can I prevent someone from regaining access using this account?



Relevant Pages

  • Re: Permissions on a file
    ... using FTP and the script generate a new version every now and then. ... different account name. ... If you have ftp access as the server admin (versus the ...
    (comp.lang.perl.misc)
  • RE: Confused about FTP for IIS7 authorization
    ... ACL list includes your test account and that's why you can login without ... them are with allowed rules in FTP authorization. ... Microsoft Online Community Support ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Secure FTP site
    ... Users must then provide a valid local account with ... For remote users to connect to the FTP service, ... You need to grant this right to any other ... the Administrative Tools folder. ...
    (microsoft.public.inetserver.iis.security)
  • Re: FTP
    ... > the necessary rights to log onto the FTP site. ... > Tip Although you could change the account that the FTP service uses ... > For remote users to connect to the FTP service, ... You need to grant this right to any other ...
    (microsoft.public.inetserver.iis.security)
  • Re: FTP
    ... Users must then provide a valid local account with ... For remote users to connect to the FTP service, ... You need to grant this right to any other ... Policies\User Rights Assignment, and then double-click the Log On Locally ...
    (microsoft.public.inetserver.iis.security)