[Dshield] (no subject)

Paul Clarke paulclarke at clarkeworks.com
Tue Nov 27 12:45:14 GMT 2001


In a message to the list Rick said:

 >Subject: RE: [Dshield] IIS hacked - help????
 >Date: Mon, 26 Nov 2001 12:16:02 -0500
 >From: "Gasper, Rick" <rjgasper at kings.edu>
 >To: <dshield at dshield.org>
 >Reply-To: dshield at dshield.org
 >
 >While I agree that it is possible that a root kit could have been
 >installed and that a compromised machine should be formatted and
 >reinstalled, I don't think the machine was truly compromised. I have
 >seen this attack  before. What it comes down to, is a script kiddie that
 >uses an anonymous ftp server as a warez server.
 >
 >
 >Here is the link that explains how to do it:
 >
 >http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt
 >
 >Bottom line:
 >If you open an anonymous ftp server on IIS and the kiddies find it, then
 >you will end up with a bunch of warez.
 >
 >
 >Rick

How true.  I am living proof.  My FTP server became a "free" Warez site in
September and I only noticed it after they ate up 15Gb of disk and the drive
hit zero free space.

For a few weeks it was a running battle until I found a configuration
(Windows 2000 Server & IIS 5) that effectively freezes them out without
forcing me to make the FTP server private;  I have set the NTFS security to
allow writes but no reads, create directory but no directory reads and no
browsing.  In addition, I added a QUOTA of 150Mb.  Then I added a "pleasant"
README.1ST to the site notifying the "users" that they can, if they wish,
create directories and upload up to 150 Mb - but only to the UPLOAD root and
not to their created directory!! - but their friends and neighbours will NOT
be able to see nor download any of their "wares".

I did get a couple of idiots who didn't read the notice and wasted a hour or
so of their on-line time.  Oh well.

Each morning I inspect for rogue directories and blow them away.  Also, I
left their usual "test" trash (space.asp, 1kbtest.ptf) in the UPLOAD
directory but marked "READ ONLY" to further annoy them.

You can see/test it yourself at ftp.clarkeworks.com and all suggestions for
further improvements are very welcome.

Paul




More information about the list mailing list