FTP hacking...

[Spyder32]

Earlier releases had a telnet server? Wow, what for? LMAO. And tedob, if it say's anything else then he just has a different kind of ftp server running, right? Of course it could be something malicious like one of those trojan ftp program's, but that's thinking the worst right now.

[thehorse13]

if someone was to upload to the anonymous ftp I found on my home server where would I find those files?

%System Root%\inetpub\ftproot

This, of course, can be changed to anything you like.

[Noia]

systeminternal's TCPview is a good tool for dealing with worm infections since it gives you the possibility of closeing connections on the fly and also get a look into what is acctualy doing what.

[hypronix]

Originally posted here by Spyder32
Earlier releases had a telnet server? Wow, what for?

For the same purpose all security flaws are implemented

[well I guess for admins but... wow! well said]

And if it's a trojan you can bet it has a modified banner. But if it's a service from IIS then maybe you'll be able to see what's there.

[Spyder32]

For the same purpose all security flaws are implemented

No, but I'm saying what purpose would a telnet server have on a IIS application? Considering IIS server's are run on M$ system's and telnet server's are generally ran on *nix machine's. And considering there's no point to have a telnet server on a webserver application.

[gothic_type]

Tedob1, he could be in trouble even if it says ms ftp or whatever the ms ftp server says. There's no reason that someone creating a back door wouldn't try to disguise the backdoor as a ms ftp server. If someone is worried that they might have some "malicious service" running, they cannot ever trust the banner...they really have to use some other tool to figure out what's happening.

ac

[nephewB]

I noticed that many of my files have been modified in my c:/ directories. How the hell is this possible. What is a possible attack method? I have now closed port 21. What others should I close? and if there are multiple backdoors what should I be looking for?

[eth3r]

another good util for this kind of problem is: Active Ports

Active Ports 1.4 - easy to use tool that enables
you to monitor all open TCP/IP and UDP ports on
the local computer. Active Ports maps ports to
the owning application so you can watch which
process has opened which port. It also displays
a local and remote IP address for each connection
and allows you to terminate the owning process.
Active Ports can help you to detect trojans and
other malicious programs. Freeware

[Spyder32]

nephewb: If your worried about a trojan or other backdoor application's running on your system then download a trusty trojan scanner and scan your file's. One that I prefer is SwatIt from http://www.swatit.org It work's really well and although it take's some time, it is only because of it's thoroughness and effectiveness.

[Tedob1]

Originally posted here by gothic_type
Tedob1, he could be in trouble even if it says ms ftp or whatever the ms ftp server says. There's no reason that someone creating a back door wouldn't try to disguise the backdoor as a ms ftp server. If someone is worried that they might have some "malicious service" running, they cannot ever trust the banner...they really have to use some other tool to figure out what's happening.

ac

those that install back doors like to keep them hidden from others not just the owner of the box. too many people scan port 21, not that its impossible imo its just not likely
if he couldn't turn off the service in the usual places that would be a give away. like in the web services mmc. back door ftp servers are small, usually dont have a banner and arn't used for an extented period. the ones you can change the header in like serve-u are usually installed on an off port and the people that use them like to advertise their group and not ms