Results 1 to 5 of 5

Thread: Help

  1. September 10th, 2001, 06:35 PM #1
    mbland
    mbland is offline
    Junior Member
    Join Date
    Sep 2001
    Posts
    2

    Help

    I need LOTS of help

    Problems are with the FTP site. Running NT server 4.0 with IIS 4.
    Somene has uploaded some files to the ftp directory, which is unsecured with anonymous logon. These files cannot be deleted from windows or ms-dos. These files can be viewed, but cannot be altered in any fashion. The files are in a tree that is five levels deep, trying to delete or move any files or folders results in the same message. The message is that the file could not be found.
    The files appear to be some pirated sw for a warez site.

    Anyone have any idea what is going on here?

    Also, the FTP site cannot be accessed with any account, including admin, from a browser. The anonymous access no longer works.
    I have created a new ftp root with new security and reset all ftp access properties with the same results.
    Also there is someone who is constantly connected to the ftp connection. If I close the connection it reappears within 5 seconds. If I deny access to that IP address the same account logs in under a different IP in a few minutes.

    Any ideas on how to free up the ftp site, and get rid of this attack?
  2. September 10th, 2001, 11:44 PM #2
    Terr
    Terr is offline
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Ouch. Uhm. Reinstall the server software, boot to alternate OS to remove files? It might be simplest, in the end, compared to messing around a lot trying to keep the current config.

    Check out this thread, just in case it sheds any light on it.

    I really don't know, but you COULD try disallowing any access to that whole range of addresses... If it becomes a real problem, get help. Find the IP, and the time, and go to the ISP(s) and explain the problem.
    [HvC]Terr: L33T Technical Proficiency
  3. September 19th, 2001, 12:19 AM #3
    rnapro
    rnapro is offline
    Member rnapro's Avatar
    Join Date
    Aug 2001
    Posts
    66
    Try stopping your FTP service and then attempt to delete the files.

    If these files are connected to a warez site that might explain the various IP addresses.

    Is there a reason you need a FTP site that is not secure?
    http://www.AntiOnline.com/sig.php?imageid=844
  4. September 19th, 2001, 07:21 AM #4
    magic1
    magic1 is offline
    Senior Member
    Join Date
    Sep 2001
    Posts
    111

    Post info

    those file are chipher files in which the bit ,that the system use for
    seeing if that file is in a proces,is always 1.
    The best way is to boot your computer with ntfs boots diskettes
    and than delete those file or use the norton diskettes to delete those files.

    and in mean time see if any tcp port is opened
    because this is a kind of trojan


    see you bye
    If God had intended
    Man to program,
    we would be born
    with serial I/O ports.
  5. September 20th, 2001, 03:19 PM #5
    mbland
    mbland is offline
    Junior Member
    Join Date
    Sep 2001
    Posts
    2
    Thank you all for your help.
    I was able to remove most files after booting locally and stopping all IIS services.
    Some files cannot be removed that easily, getting ready to try the Norton/NT boot routes suggested by magic1.
    It looks like someone is running a script remotely to continually access the FTP server. There are no trojans running locally.
    After I denied about 12 IP's the attacks stopped.

    The ftp site is unsecured for support purposes for technicians in the field that need to upload application specific data at any time.
    We are reviewing that policy

    Thanks again for all of your help.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules