September 10th, 2001, 06:35 PM
I need LOTS of help
Problems are with the FTP site. Running NT server 4.0 with IIS 4.
Somene has uploaded some files to the ftp directory, which is unsecured with anonymous logon. These files cannot be deleted from windows or ms-dos. These files can be viewed, but cannot be altered in any fashion. The files are in a tree that is five levels deep, trying to delete or move any files or folders results in the same message. The message is that the file could not be found.
The files appear to be some pirated sw for a warez site.
Anyone have any idea what is going on here?
Also, the FTP site cannot be accessed with any account, including admin, from a browser. The anonymous access no longer works.
I have created a new ftp root with new security and reset all ftp access properties with the same results.
Also there is someone who is constantly connected to the ftp connection. If I close the connection it reappears within 5 seconds. If I deny access to that IP address the same account logs in under a different IP in a few minutes.
Any ideas on how to free up the ftp site, and get rid of this attack?
September 10th, 2001, 11:44 PM
Ouch. Uhm. Reinstall the server software, boot to alternate OS to remove files? It might be simplest, in the end, compared to messing around a lot trying to keep the current config.
Check out this thread, just in case it sheds any light on it.
I really don't know, but you COULD try disallowing any access to that whole range of addresses... If it becomes a real problem, get help. Find the IP, and the time, and go to the ISP(s) and explain the problem.
[HvC]Terr: L33T Technical Proficiency
September 19th, 2001, 12:19 AM
Try stopping your FTP service and then attempt to delete the files.
If these files are connected to a warez site that might explain the various IP addresses.
Is there a reason you need a FTP site that is not secure?
September 19th, 2001, 07:21 AM
those file are chipher files in which the bit ,that the system use for
seeing if that file is in a proces,is always 1.
The best way is to boot your computer with ntfs boots diskettes
and than delete those file or use the norton diskettes to delete those files.
and in mean time see if any tcp port is opened
because this is a kind of trojan
see you bye
If God had intended
Man to program,
we would be born
with serial I/O ports.
September 20th, 2001, 03:19 PM
Thank you all for your help.
I was able to remove most files after booting locally and stopping all IIS services.
Some files cannot be removed that easily, getting ready to try the Norton/NT boot routes suggested by magic1.
It looks like someone is running a script remotely to continually access the FTP server. There are no trojans running locally.
After I denied about 12 IP's the attacks stopped.
The ftp site is unsecured for support purposes for technicians in the field that need to upload application specific data at any time.
We are reviewing that policy
Thanks again for all of your help.