Re: directories that cannot delete
From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 10/23/04
- Next message: JethroUK©: "internet sharing"
- Previous message: Dave: "Re: directories that cannot delete"
- In reply to: Dave: "Re: directories that cannot delete"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 23 Oct 2004 16:39:45 -0700
While that is really good advice for someone who's been the victim of a
general hacking attack, where it is likely that the attacker has managed to
get their executable code running on the attacked system, this sounds more
like it's a case of FTP "tagging". What happens is that a malfeasant will
scan random addresses on the Internet for FTP servers. When they find one,
they log on as "anonymous" and try to upload a file. When they succeed,
they start uploading any number of files that they want to share with others
around the world, and then they publish your FTP site's location among their
acquaintances. As you can imagine, since this is a mostly effective attempt
to hide their own involvement in publishing these files, most of what is put
onto such an FTP site is illegal in some of the worst ways. Pirated movies
and software are just the start of it - I'm sure you don't need me to go
into great detail as to the sort of stuff that you (and your users) may find
on your servers as a result of this.
You can follow the instructions at http://support.microsoft.com/?id=811176
to delete these directories and files, or, since the files were created
through FTP, they can be just as easily deleted through FTP - use a
graphical FTP client, log on to the server, select the files and/or
directories, and delete them.
This is a natural consequence of having an FTP server (even a private one)
where anonymous access is enabled and "Write" access has been granted to the
anonymous user. Use NTFS permissions to prevent anonymous users from
writing to your system.
In most cases of hacking, the "FFR" - FDISK, Format, Reinstall - approach is
a good one. In this case, however, it does not appear that your system was
hacked - it appears that the unwanted files were uploaded by someone who was
using a regular protocol to do exactly what the protocol - and the
administrator's configuration of that protocol - allowed them to do.
Removing the files and tightening the protection should be sufficient, so
long as you see no other signs of intrusion. I would advise checking the
system to ensure that there are no other signs of intrusion.
Alun.
~~~~
"Dave" <noone@nowhere.com> wrote in message
news:u5QsizTuEHA.224@TK2MSFTNGP15.phx.gbl...
> unplug from the world
> preferably flatten the server and reinstall from scratch since you have no
> way to know what else they may have done at this point... but if you must
> keep it running:
> go search the knowledge base for how to delete directories with reserved
> names
> scan with every virus and malware scanner you can download
> disable anonymous ftp access, change account passwords to real strong
> passwords, make sure all your patches are up to date, read a few dozen web
> pages about securing iis and ftp servers, install a firewall, then maybe
> plug back in and watch things carefully in the future.
>
> "frank" <frank673@hotmail.com> wrote in message
> news:%233R1ijIuEHA.2948@TK2MSFTNGP15.phx.gbl...
>> Hi,
>>
>> A hacker got onto my ftp server and created weird directories the
>> directories names have words such as com1 lpt and so on and I am unable
>> to
>> delete them. What should I do? Thanks.
>>
>> Frank
>>
>>
>
>
- Next message: JethroUK©: "internet sharing"
- Previous message: Dave: "Re: directories that cannot delete"
- In reply to: Dave: "Re: directories that cannot delete"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
