|
Home > Archive > IIS FTP Server > December 2004 > My FTP server has been hacked
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
My FTP server has been hacked
|
|
| Junkyard Engineer 2004-11-15, 5:52 pm |
| I was checking my bandwith monitor and strong activities was shown. After
playing with my Zonealarm pro program and firewall settings, I found out
that files were uploaded to my FTP sites. more than 10GB of it. Files like
Joey???.rar and so on.
Anyway, I tried to stop the FTP site through MMC and got only IIS to hang. I
finally uninstalled altogether the FTP site.
So now, net activities seems to be under control (after 30 minutes). What do
I do now ?
I can tell you that within Windows Explorer, if I go in the
Inetpub/ftproot/upload, there's a lot of files with no names, with com1-4
lpt 1-4 and directories structure up to 6 levels. I can't delete them. I get
an error saying that file name XXX doesn't exist. My account is
administrator. WinXP pro IIS 5.1
tia
| |
| Junkyard Engineer 2004-11-16, 7:47 am |
| OK, I've been "tagged".
First, I've been running NAV 2004 and found 4 viruses within the files in
those directories. Removed everything.
Second, I found this KB article http://support.microsoft.com/?id=811176
which is of no help at all because i have something like 3000 folders (no
kidding) down to 6 or 7 levels deep. Problem is that most of the dir use
reserved windows words or hard coded name using ASCII codes. In either case,
you can't delete them via windows nor via cmd with rmdir. So forget it.
One other solution I saw is to use a FTP browser like Cute FTP and browse
the dir structure and delete each folder. Same problem as above
Last solution which worked is to use Delete FXP program
http://www.jrtwine.com/Products/DelFXPFiles/ The free version can delete
directories one at a time. But at least if you only have a few, you can do
it without paying. With 3000 directories, I decided to pay the 40$ and it
did the job in less than 1 minute. Everything was out, deleted and
completed.
Now, I'm preparing to reinstall my FTP server without the anonymous access
this time.
"Junkyard Engineer" <jackeric@engineer.com> a écrit dans le message de news:
e4VeW61yEHA.1412@tk2msftngp13.phx.gbl...
>I was checking my bandwith monitor and strong activities was shown. After
>playing with my Zonealarm pro program and firewall settings, I found out
>that files were uploaded to my FTP sites. more than 10GB of it. Files like
>Joey???.rar and so on.
>
> Anyway, I tried to stop the FTP site through MMC and got only IIS to hang.
> I finally uninstalled altogether the FTP site.
>
> So now, net activities seems to be under control (after 30 minutes). What
> do I do now ?
>
> I can tell you that within Windows Explorer, if I go in the
> Inetpub/ftproot/upload, there's a lot of files with no names, with com1-4
> lpt 1-4 and directories structure up to 6 levels. I can't delete them. I
> get an error saying that file name XXX doesn't exist. My account is
> administrator. WinXP pro IIS 5.1
>
> tia
>
>
| |
| Bernard 2004-11-17, 2:47 am |
| Argggh 40$.. why not just format that partition ?
or even rebuilt the machine as it is cleaner and making sure no backdoor was
installed.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Junkyard Engineer" <jackeric@engineer.com> wrote in message
news:uSKDND#yEHA.2876@TK2MSFTNGP12.phx.gbl...
> OK, I've been "tagged".
>
> First, I've been running NAV 2004 and found 4 viruses within the files in
> those directories. Removed everything.
>
> Second, I found this KB article http://support.microsoft.com/?id=811176
> which is of no help at all because i have something like 3000 folders (no
> kidding) down to 6 or 7 levels deep. Problem is that most of the dir use
> reserved windows words or hard coded name using ASCII codes. In either
case,
> you can't delete them via windows nor via cmd with rmdir. So forget it.
>
> One other solution I saw is to use a FTP browser like Cute FTP and browse
> the dir structure and delete each folder. Same problem as above
>
> Last solution which worked is to use Delete FXP program
> http://www.jrtwine.com/Products/DelFXPFiles/ The free version can delete
> directories one at a time. But at least if you only have a few, you can do
> it without paying. With 3000 directories, I decided to pay the 40$ and it
> did the job in less than 1 minute. Everything was out, deleted and
> completed.
>
> Now, I'm preparing to reinstall my FTP server without the anonymous access
> this time.
>
>
>
> "Junkyard Engineer" <jackeric@engineer.com> a écrit dans le message de
news:
> e4VeW61yEHA.1412@tk2msftngp13.phx.gbl...
like[vbcol=seagreen]
hang.[vbcol=seagreen]
What[vbcol=seagreen]
com1-4[vbcol=seagreen]
>
>
| |
| Junkyard Engineer 2004-11-17, 7:48 am |
| Reformatting !? A bit harsh for now. Best tool to see if you are infected is
a bandwith monitor. That's how I spotted the problem. A good Micro Trend
scan + NAV scan is not too bad also. For my IIS, I use SecureIIS and mbsa
gives me the green light. Zone Alarm pro finally does the trick.
And yes, if I should see any bandwith activities, that would be my last
choice.
btw, anybody knows about a bandwith monitor that shows not only the in/out
activities but what process use it and maybe a history usage ?
"Bernard" <qbernard@hotmail.com.discuss> a écrit dans le message de news:
%23UhY%23MHzEHA.2804@TK2MSFTNGP15.phx.gbl...
> Argggh 40$.. why not just format that partition ?
> or even rebuilt the machine as it is cleaner and making sure no backdoor
> was
> installed.
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Junkyard Engineer" <jackeric@engineer.com> wrote in message
> news:uSKDND#yEHA.2876@TK2MSFTNGP12.phx.gbl...
> case,
> news:
> like
> hang.
> What
> com1-4
>
>
| |
| Bernard 2004-11-17, 8:46 pm |
| You can analyze the ftp log file for the content accessed and related
detail.
do a search on 'log parser' at microsoft site, then use it to parse the log
file.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Junkyard Engineer" <jackeric@engineer.com> wrote in message
news:O6Vz3cKzEHA.3336@TK2MSFTNGP11.phx.gbl...
> Reformatting !? A bit harsh for now. Best tool to see if you are infected
is
> a bandwith monitor. That's how I spotted the problem. A good Micro Trend
> scan + NAV scan is not too bad also. For my IIS, I use SecureIIS and mbsa
> gives me the green light. Zone Alarm pro finally does the trick.
>
> And yes, if I should see any bandwith activities, that would be my last
> choice.
>
> btw, anybody knows about a bandwith monitor that shows not only the in/out
> activities but what process use it and maybe a history usage ?
>
>
>
> "Bernard" <qbernard@hotmail.com.discuss> a écrit dans le message de news:
> %23UhY%23MHzEHA.2804@TK2MSFTNGP15.phx.gbl...
in[vbcol=seagreen]
(no[vbcol=seagreen]
use[vbcol=seagreen]
browse[vbcol=seagreen]
delete[vbcol=seagreen]
it[vbcol=seagreen]
out[vbcol=seagreen]
them.[vbcol=seagreen]
>
>
| |
| Joffeman 2004-12-07, 5:52 pm |
| Nice, I'll try that free copy of Delete FXP! Had the same problem when I've
had my upload directory open for too long, so now I have a small number of
COMXs and LPTXs, but I managed to empty them with some obscure open source
DOS-style tool, 2-letter acronym, and I can't remember it now. But it
couldn't delete COM-ports and such, so I just put those empty directories in
a far away sub-dir.
"Junkyard Engineer" skrev:
> OK, I've been "tagged".
>
> First, I've been running NAV 2004 and found 4 viruses within the files in
> those directories. Removed everything.
>
> Second, I found this KB article http://support.microsoft.com/?id=811176
> which is of no help at all because i have something like 3000 folders (no
> kidding) down to 6 or 7 levels deep. Problem is that most of the dir use
> reserved windows words or hard coded name using ASCII codes. In either case,
> you can't delete them via windows nor via cmd with rmdir. So forget it.
>
> One other solution I saw is to use a FTP browser like Cute FTP and browse
> the dir structure and delete each folder. Same problem as above
>
> Last solution which worked is to use Delete FXP program
> http://www.jrtwine.com/Products/DelFXPFiles/ The free version can delete
> directories one at a time. But at least if you only have a few, you can do
> it without paying. With 3000 directories, I decided to pay the 40$ and it
> did the job in less than 1 minute. Everything was out, deleted and
> completed.
>
> Now, I'm preparing to reinstall my FTP server without the anonymous access
> this time.
>
>
>
> "Junkyard Engineer" <jackeric@engineer.com> a écrit dans le message de news:
> e4VeW61yEHA.1412@tk2msftngp13.phx.gbl...
>
>
>
| |
| Junkyard Engineer 2004-12-07, 5:52 pm |
| in my case, I had so many of them I calculated that it would take me 26
hours to get rid of them with the free version of delFXP. So I told myself I
had better things to do and bought FXP. In fact I suspect I saved a lot more
than that, especially with the rate of a good psychiatrist these days 
"Joffeman" <Joffeman@discussions.microsoft.com> a écrit dans le message de
news: 9D85E884-18E5-45AA-8B88-81C4D508ABF4@microsoft.com...[vbcol=seagreen]
> Nice, I'll try that free copy of Delete FXP! Had the same problem when
> I've
> had my upload directory open for too long, so now I have a small number of
> COMXs and LPTXs, but I managed to empty them with some obscure open source
> DOS-style tool, 2-letter acronym, and I can't remember it now. But it
> couldn't delete COM-ports and such, so I just put those empty directories
> in
> a far away sub-dir.
>
> "Junkyard Engineer" skrev:
>
| |
| Alun Jones [MSFT] 2004-12-07, 5:52 pm |
| "Junkyard Engineer" <jackeric@engineer.com> wrote in message
news:uqGDs0I3EHA.3840@tk2msftngp13.phx.gbl...
> in my case, I had so many of them I calculated that it would take me 26
> hours to get rid of them with the free version of delFXP. So I told myself
> I had better things to do and bought FXP. In fact I suspect I saved a lot
> more than that, especially with the rate of a good psychiatrist these days
>
Another thing to try is the information in
http://support.microsoft.com/?id=811176 - "You cannot remove suspicious
folders from the FTP file structure". One suggestion that is not listed on
there is to use a good graphical FTP client, and simply log on and delete
the files that way. If they got on there by FTP, they should be able to be
removed by FTP.
Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Junkyard Engineer 2004-12-07, 5:52 pm |
| I,m not sure it will work
1) because they implement a recursive directory structure
2) directory naming mainly use reserved Windows words which are protected
from beeing deleted
3) I've not used it but even then, directories should be removed one by one
with this method which would take severals light-days to perform if you've
been tagged hard ;(
"Alun Jones [MSFT]" <alunj@online.microsoft.com> a écrit dans le message de
news: OqePj6I3EHA.936@TK2MSFTNGP12.phx.gbl...
> "Junkyard Engineer" <jackeric@engineer.com> wrote in message
> news:uqGDs0I3EHA.3840@tk2msftngp13.phx.gbl...
>
>
> Another thing to try is the information in
> http://support.microsoft.com/?id=811176 - "You cannot remove suspicious
> folders from the FTP file structure". One suggestion that is not listed
> on there is to use a good graphical FTP client, and simply log on and
> delete the files that way. If they got on there by FTP, they should be
> able to be removed by FTP.
>
> Alun.
> ~~~~
> --
> Software Design Engineer, Internet Information Server (FTP)
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| Alun Jones [MSFT] 2004-12-07, 5:52 pm |
| "Junkyard Engineer" <jackeric@engineer.com> wrote in message
news:u65nSMK3EHA.2540@TK2MSFTNGP09.phx.gbl...
> I,m not sure it will work
> 1) because they implement a recursive directory structure
If it's infinitely recursive, then you have a problem more severe than mere
FTP tagging. A several-level-deep hierarchy is nothing to the "RMDIR /s"
command mentioned in the KB.
> 2) directory naming mainly use reserved Windows words which are protected
> from beeing deleted
Yes, that's the point of the article - it points you to commands that don't
care about those reserved words.
> 3) I've not used it but even then, directories should be removed one by
> one with this method which would take severals light-days to perform if
> you've been tagged hard ;(
No, you can do the whole tree in one command. I'm fond of using "RD /S
/Q" - RD is short for RMDIR. The "/Q" is a dangerous option, because it
doesn't ask you if you really want the directories and their contents gone.
Use it only if you are sure that you have not made any typing mistakes.
Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Junkyard Engineer 2004-12-07, 5:52 pm |
| Cool !
The experience learnt me something though : don't use anonymous account on a
personal ftp site if you can.
"Alun Jones [MSFT]" <alunj@online.microsoft.com> a écrit dans le message de
news: unrILaK3EHA.1524@TK2MSFTNGP09.phx.gbl...
> "Junkyard Engineer" <jackeric@engineer.com> wrote in message
> news:u65nSMK3EHA.2540@TK2MSFTNGP09.phx.gbl...
>
> If it's infinitely recursive, then you have a problem more severe than
> mere FTP tagging. A several-level-deep hierarchy is nothing to the "RMDIR
> /s" command mentioned in the KB.
>
>
> Yes, that's the point of the article - it points you to commands that
> don't care about those reserved words.
>
>
> No, you can do the whole tree in one command. I'm fond of using "RD /S
> /Q" - RD is short for RMDIR. The "/Q" is a dangerous option, because it
> doesn't ask you if you really want the directories and their contents
> gone. Use it only if you are sure that you have not made any typing
> mistakes.
>
> Alun.
> ~~~~
> --
> Software Design Engineer, Internet Information Server (FTP)
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| Alun Jones [MSFT] 2004-12-07, 5:52 pm |
| "Junkyard Engineer" <jackeric@engineer.com> wrote in message
news:eZiwayK3EHA.208@TK2MSFTNGP12.phx.gbl...
> Cool !
> The experience learnt me something though : don't use anonymous account on
> a personal ftp site if you can.
Use it for public downloads. Always remember that anonymous means exactly
that, and don't think that hiding a server is the same as not announcing its
presence. There are tools that spend their entire time searching random
addresses for FTP servers.
Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| jtwine 2004-12-20, 8:57 am |
| quote:
Originally posted by Junkyard Engineer
in my case, I had so many of them I calculated that it would take me 26
hours to get rid of them with the free version of delFXP. So I told myself I
had better things to do and bought FXP. In fact I suspect I saved a lot more
than that, especially with the rate of a good psychiatrist these days
You could have just contacted me, I have given reduced-price, free-upgrade and even completely free registration keys before...
Either way, I am glad that you were smart enough not to use a shotgun to kill a fly by reformatting (would have been really hard if you did not have backups!), and found the product useful.
Peace!
-=- James R. Twine |
|
|
|
|