Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP site hacked 1

Status
Not open for further replies.
chesneyj

chesneyj

IS-IT--Management
Aug 20, 2001
33
0
0
US
Recently, we removed Proxy Server 2.0 from our Windows NT 4.0 server and replaced it with a Watchguard firewall. Someone has now hacked their way into my FTP server.

They haven't been able to get to the web site or other FTP sites since I use virtual directories on other physical drives. However, they have managed to get to the C:\inetpub\ftproot directory. They have been dumping files (games and movie clips) into it and restricting it. I can't delete the files, even if I boot to DOS. I get errors saying: "cannot delete, cannot find the specified file" ,"Cannot remove folder com1: the directory is invalid", or "Cannot delete com1: the parameter is incorrect". The drive is formatted FAT, so I can't take ownership.

He changes the IP address he is using, so blocking the IP addresses after the fact seems moot. I want to eliminate all anonymous access to the sites but I'm not sure how to do this. Everything I have read discourages the practice of eliminating anonymous access, but I still can't find a valid reason why.

The people who legitimately get onto our FTP sites seem to be using IE or Netscape to get in (ftp://.......) instead of programs. When they do this, passwords seem to be bypassed, although that may be an error on my part.

Basically, my questions are:
- How do I block the FTP access so he can't anonymously get into my server?
- How do I delete the 1GB of data he has dumped on the server?
- Why shouldn't I restrict anonymous logons? All it takes is a fake e-mail and these people are in. That seems stupid.
- How can I make the IE & Netscape FTP users log in?

Thank you in advance for any help.
Brenda Sherrod
Network Administrator
Alliance Architects, Inc.
 
Sort by date Sort by votes
Brenda,

This is a common problem with FTP sites that allow anonymous access. The only reason you would need anonymous access is to allow customer access without a username and password. If you plan on setting up and account for everyone that accesses your site than you can disable anonymous access. As far as IE and Netscape go they are not bypassing passwords they are simply using a default anonymous logon built in the browser, if you remove anonymous access from the site they will be prompted for a username and password. Removing anonymous access is easy, just go into mmc right click the ftp site and choose properties, then go into security account and remove the check from the box that says allow anonymous access. Just remember you will now have to create accounts for people that access you ftp. And they have used reserved windows names to keep you from deleteing these directories this article describes how to delete them. One more thing, I would strongly recommend going to NTFS on this machine for security reasons.

 
Upvote 0 Downvote
Thank you for your help.

I've done what you said and looked into the Knowledge Base article. I'm going to install the resource kit this afternoon. Hopefully, the POSIX utilities will allow me to delete these files. The standard DEL command doesn't.

I'm hoping to update the C: drive to NTFS soon. However, I have noticed that literature seems to point towards using the C: drive as FAT. That is another thing I have always been confused on. Why would I want to do that?

Oh, well. MS isn't always a clear company, now is it?

Thanks again.
Brenda Sherrod
Network Administrator
Alliance Architects, Inc.
 
Upvote 0 Downvote
If I recall, because IIS does not allow for the creation of virtual FTP sites, to separate them, you will need to assign a unique port number to each different user FTP account. However, if one user knows another users port number, he could actually log into another FTP site by simply changing the port number. So although no unauthorized or anonymous person will be able to access FTP on your server, anyone with a user ID and password that is authorized to access it can access any FTP folder by changing the port numbers. I've been trying to find a simple reliable FTP server to replace IIS that will allow for virtual FTP sites and would love any recommendations.
 
Upvote 0 Downvote
I am happy to report that after all the work I did yesterday to block him, he was not able to get in last night, although he did try. Thankfully, I remembered to disable the Guest account. The Event Log recorded everything.

I'm going to keep an eye out for him, but I hope he is gone.

Thanks for all the help.
Brenda Sherrod
Network Administrator
Alliance Architects, Inc.
 
Upvote 0 Downvote
Unfortunately there are automated scripts than scan for ftp sites and test whether or not anonymous access is allowed. So if you have no need for anonymous access then diable it, you will save yourself alot of trouble.
 
Upvote 0 Downvote
I use Serv-U FTP server, and I detect hacking attempts each day. However, they never get through. Try it instead. Also, Norton Personal Firewall is great.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
230
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
FTP Issues
Replies
9
Views
222
SamBones
SamBones
Stijn
  • Locked
  • Question
No access from LAN to FTP-site with SSL
Replies
0
Views
53
Stijn
Stijn
MasterRacker
  • Locked
  • Question
Can't start default site - port 80 in use.
Replies
6
Views
139
MasterRacker
MasterRacker
1DMF
  • Locked
  • Question
FTP - home directory inaccessoible
Replies
1
Views
76
1DMF
1DMF

Part and Inventory Search

Sponsor

Back
Top