Results 1 to 5 of 5

Thread: Help

  1. #1
    Junior Member
    Join Date
    Sep 2001


    I need LOTS of help

    Problems are with the FTP site. Running NT server 4.0 with IIS 4.
    Somene has uploaded some files to the ftp directory, which is unsecured with anonymous logon. These files cannot be deleted from windows or ms-dos. These files can be viewed, but cannot be altered in any fashion. The files are in a tree that is five levels deep, trying to delete or move any files or folders results in the same message. The message is that the file could not be found.
    The files appear to be some pirated sw for a warez site.

    Anyone have any idea what is going on here?

    Also, the FTP site cannot be accessed with any account, including admin, from a browser. The anonymous access no longer works.
    I have created a new ftp root with new security and reset all ftp access properties with the same results.
    Also there is someone who is constantly connected to the ftp connection. If I close the connection it reappears within 5 seconds. If I deny access to that IP address the same account logs in under a different IP in a few minutes.

    Any ideas on how to free up the ftp site, and get rid of this attack?

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Seattle, WA
    Ouch. Uhm. Reinstall the server software, boot to alternate OS to remove files? It might be simplest, in the end, compared to messing around a lot trying to keep the current config.

    Check out this thread, just in case it sheds any light on it.

    I really don't know, but you COULD try disallowing any access to that whole range of addresses... If it becomes a real problem, get help. Find the IP, and the time, and go to the ISP(s) and explain the problem.
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Member rnapro's Avatar
    Join Date
    Aug 2001
    Try stopping your FTP service and then attempt to delete the files.

    If these files are connected to a warez site that might explain the various IP addresses.

    Is there a reason you need a FTP site that is not secure?

  4. #4
    Senior Member
    Join Date
    Sep 2001

    Post info

    those file are chipher files in which the bit ,that the system use for
    seeing if that file is in a proces,is always 1.
    The best way is to boot your computer with ntfs boots diskettes
    and than delete those file or use the norton diskettes to delete those files.

    and in mean time see if any tcp port is opened
    because this is a kind of trojan

    see you bye
    If God had intended
    Man to program,
    we would be born
    with serial I/O ports.

  5. #5
    Junior Member
    Join Date
    Sep 2001
    Thank you all for your help.
    I was able to remove most files after booting locally and stopping all IIS services.
    Some files cannot be removed that easily, getting ready to try the Norton/NT boot routes suggested by magic1.
    It looks like someone is running a script remotely to continually access the FTP server. There are no trojans running locally.
    After I denied about 12 IP's the attacks stopped.

    The ftp site is unsecured for support purposes for technicians in the field that need to upload application specific data at any time.
    We are reviewing that policy

    Thanks again for all of your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts