[Dshield] (no subject)
paulclarke at clarkeworks.com
Tue Nov 27 12:45:14 GMT 2001
In a message to the list Rick said:
>Subject: RE: [Dshield] IIS hacked - help????
>Date: Mon, 26 Nov 2001 12:16:02 -0500
>From: "Gasper, Rick" <rjgasper at kings.edu>
>To: <dshield at dshield.org>
>Reply-To: dshield at dshield.org
>While I agree that it is possible that a root kit could have been
>installed and that a compromised machine should be formatted and
>reinstalled, I don't think the machine was truly compromised. I have
>seen this attack before. What it comes down to, is a script kiddie that
>uses an anonymous ftp server as a warez server.
>Here is the link that explains how to do it:
>If you open an anonymous ftp server on IIS and the kiddies find it, then
>you will end up with a bunch of warez.
How true. I am living proof. My FTP server became a "free" Warez site in
September and I only noticed it after they ate up 15Gb of disk and the drive
hit zero free space.
For a few weeks it was a running battle until I found a configuration
(Windows 2000 Server & IIS 5) that effectively freezes them out without
forcing me to make the FTP server private; I have set the NTFS security to
allow writes but no reads, create directory but no directory reads and no
browsing. In addition, I added a QUOTA of 150Mb. Then I added a "pleasant"
README.1ST to the site notifying the "users" that they can, if they wish,
create directories and upload up to 150 Mb - but only to the UPLOAD root and
not to their created directory!! - but their friends and neighbours will NOT
be able to see nor download any of their "wares".
I did get a couple of idiots who didn't read the notice and wasted a hour or
so of their on-line time. Oh well.
Each morning I inspect for rogue directories and blow them away. Also, I
left their usual "test" trash (space.asp, 1kbtest.ptf) in the UPLOAD
directory but marked "READ ONLY" to further annoy them.
You can see/test it yourself at ftp.clarkeworks.com and all suggestions for
further improvements are very welcome.
More information about the list