ftp hacked through firewall

[StuartJones]

My company is using a NetScreen 25 firewall.

An unauthorised person has managed to get through the firewall and upload some files on our ftp server. Because of this we have closed the ftp port and server down for the time being.

Whenever the ftp server was running with the illegal files, the external network connection would slow down something chronic. As soon as the server was shutdown, the internet connection returned to normal speeds.

We cannot delete these files now - for some reason there is not security tab in the file properties either (we are running Windows 2000 Server with IIS on an NTFS partition).

Our ftp is not on a internet domain - but does have a public IP.


Is there any way to improve protection so that we could open up the ftp server again?

 

[rn4it]

Well since their(hackers) are coming in through port 21, you can change the port used for FTP to a non standard port. However, if this person uses a port scanner, he/she will will find out that port and make another attempt. The next thing you can try is setting a secured username and password (using alpha numberic and special characters). If FTP is only used from a specific IP then you may be able to lock it so that only the IP can ftp through the FW.

Hope this helps

 

[lmaia]

You stated that "We cannot delete these files now - for some reason there is not security tab in the file properties either (we are running Windows 2000 Server with IIS on an NTFS partition)." Do you mean the security tab has no user shown? If that is the case, the files were probably created on a PC outside the domain and copied over. You can take the ownership of the files first, then delete them.

You can also block ftp-put on the Netscreen 25, in addition to restrict ftp access with username/password, source IP addresses, or ftp port.

You can also set the W2K security on the server / folder to restrict the user rights. The first thing I would remove the Everyone group, after setting rights for the proper users / groups. I would also be very suspicious whether this breach is coming from outside or inside.

You can also restrict the bandwidth utilizations by different services with policies. Limiting the ftp max bandwidth may solve that slow down problem.

 

[StuartJones]

i really meant that there was no Security tab - so no way to take ownership of the files - its a moot point now as we have flattened the server (needed a rebuild anyway), and disabled the ftp server on it for the time being.


the rest of your post is pretty useful though, and thanks for replying.

Stu

 

[bulkmail]

Make sure that you are configuring user auth on the fpt server and not allowing annonymous log ons. Sounds like someone was running a warez site on your ftp server. That could be the reason why bandwidth utilization was so high. Go to microsoft's site and run some security updates on IIS as well.

BM

 

[LoopyLoo]

As well as flattening the server - make sure you don't use Microsoft's FTP server. Junk it. Use War-FTP or any other 3rd party server.