[Dshield] (no subject)
seangra at yahoo.com
Wed Nov 28 00:19:43 GMT 2001
why do you wish to run an FTP with open access in the first place?
Usually I have seen that people just mark the Uploads directory Write-Only,
but with list, and that's the only place with write access. You can upload
all you want, and see what you've uploaded, but only users with accounts
can download anything that has been uploaded (or they must wait until you
move it out of the upload directory). Wouldn't this be a simpler way to
Good solution though.
At 07:45 AM 11/27/2001 -0500, you wrote:
>In a message to the list Rick said:
> >Subject: RE: [Dshield] IIS hacked - help????
> >Date: Mon, 26 Nov 2001 12:16:02 -0500
> >From: "Gasper, Rick" <rjgasper at kings.edu>
> >To: <dshield at dshield.org>
> >Reply-To: dshield at dshield.org
> >While I agree that it is possible that a root kit could have been
> >installed and that a compromised machine should be formatted and
> >reinstalled, I don't think the machine was truly compromised. I have
> >seen this attack before. What it comes down to, is a script kiddie that
> >uses an anonymous ftp server as a warez server.
> >Here is the link that explains how to do it:
> >Bottom line:
> >If you open an anonymous ftp server on IIS and the kiddies find it, then
> >you will end up with a bunch of warez.
>How true. I am living proof. My FTP server became a "free" Warez site in
>September and I only noticed it after they ate up 15Gb of disk and the drive
>hit zero free space.
>For a few weeks it was a running battle until I found a configuration
>(Windows 2000 Server & IIS 5) that effectively freezes them out without
>forcing me to make the FTP server private; I have set the NTFS security to
>allow writes but no reads, create directory but no directory reads and no
>browsing. In addition, I added a QUOTA of 150Mb. Then I added a "pleasant"
>README.1ST to the site notifying the "users" that they can, if they wish,
>create directories and upload up to 150 Mb - but only to the UPLOAD root and
>not to their created directory!! - but their friends and neighbours will NOT
>be able to see nor download any of their "wares".
>I did get a couple of idiots who didn't read the notice and wasted a hour or
>so of their on-line time. Oh well.
>Each morning I inspect for rogue directories and blow them away. Also, I
>left their usual "test" trash (space.asp, 1kbtest.ptf) in the UPLOAD
>directory but marked "READ ONLY" to further annoy them.
>You can see/test it yourself at ftp.clarkeworks.com and all suggestions for
>further improvements are very welcome.
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the list