Retrieve files deleted through FTP

[CSpannos]

Hello,

Recently, a co-worker of mine setup a website and ftp site on our Windows 2000 Advanced Server running IIS. He left anoymous access open on the ftp site and someone got in. The following is the ftp log from the activity:

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-06-07 10:52:01
#Fields: time c-ip cs-method cs-uri-stem sc-status 
10:52:01 <ipaddress> [480]USER anonymous 331
10:52:01 <ipaddress> [480]PASS anonymous@on.the.net 230
10:52:05 <ipaddress> [480]DELE -=[1000KB] 250
10:52:11 <ipaddress> [480]sent /@2+--0.5MB-- 550
10:52:24 <ipaddress> [480]created @2+--0.5MB-- 226
10:52:32 <ipaddress> [480]sent /@2+--0.5MB-- 226
10:52:32 <ipaddress> [480]sent /@2+--0.5MB-- 426
10:52:39 <ipaddress> [480]sent /@2+--0.5MB-- 226
10:53:01 <ipaddress> [480]DELE @2+--0.5MB-- 250
10:53:06 <ipaddress> [480]sent /windoof.ASP 550
10:53:06 <ipaddress> [480]created windoof.ASP 226
10:53:16 <ipaddress> [480]QUIT - 226
10:53:35 <ipaddress> [481]USER anonymous 331
10:53:35 <ipaddress> [481]PASS anonymous@on.the.net 230
10:53:38 <ipaddress> [481]sent /ntfs.exe 550
10:54:05 <ipaddress> [481]created ntfs.exe 226
10:54:05 <ipaddress> [481]sent /serv-u.ini 550
10:54:06 <ipaddress> [481]created serv-u.ini 226
10:54:06 <ipaddress> [481]sent /win.asp 550
10:54:07 <ipaddress> [481]created win.asp 226
10:54:19 <ipaddress> [481]QUIT - 226
10:54:50 <ipaddress> [482]USER anonymous 331
10:54:50 <ipaddress> [482]PASS anonymous@on.the.net 230
10:54:56 <ipaddress> [482]sent /KILL.EXE 550
10:54:57 <ipaddress> [482]created KILL.EXE 226
10:54:59 <ipaddress> [482]DELE ntfs.exe 550
10:55:08 <ipaddress> [482]DELE serv-u.ini 250
10:55:10 <ipaddress> [482]sent /serv-u.ini 550
10:55:10 <ipaddress> [482]created serv-u.ini 226
10:55:21 <ipaddress> [482]sent /win.asp 226
10:55:21 <ipaddress> [482]created win.asp 226
10:55:35 <ipaddress> [482]sent /win.asp 226
10:55:35 <ipaddress> [482]created win.asp 226
10:55:40 <ipaddress> [482]QUIT - 226
10:55:55 <ipaddress> [483]USER anonymous 331
10:55:55 <ipaddress> [483]PASS anonymous@on.the.net 230
10:56:00 <ipaddress> [483]sent /killav.bat 550
10:56:00 <ipaddress> [483]created killav.bat 226
10:56:13 <ipaddress> [483]sent /killav.bat 226
10:56:23 <ipaddress> [483]sent /win.asp 226
10:56:23 <ipaddress> [483]created win.asp 226
10:56:35 <ipaddress> [483]QUIT - 226
10:56:38 <ipaddress> [484]USER anonymous 331
10:56:38 <ipaddress> [484]PASS anonymous@on.the.net 230
10:56:38 <ipaddress> [484]QUIT - 226
10:56:57 <ipaddress> [485]USER anonymous 331
10:56:57 <ipaddress> [485]PASS anonymous@on.the.net 230
10:57:05 <ipaddress> [485]sent /NC.EXE 550
10:57:08 <ipaddress> [485]created NC.EXE 226
10:57:13 <ipaddress> [485]sent /start.bat 550
10:57:16 <ipaddress> [485]created start.bat 226
10:57:33 <ipaddress> [485]sent /win.asp 226
10:57:33 <ipaddress> [485]created win.asp 226
10:57:52 <ipaddress> [485]DELE killav.bat 250
10:57:58 <ipaddress> [485]QUIT - 226
10:58:27 <ipaddress> [486]USER anonymous 331
10:58:27 <ipaddress> [486]PASS anonymous@on.the.net 230
10:58:38 <ipaddress> [486]DELE KILL.EXE 250
10:58:38 <ipaddress> [486]DELE NC.EXE 250
10:58:38 <ipaddress> [486]DELE ntfs.exe 550
10:58:38 <ipaddress> [486]DELE serv-u.ini 250
10:58:38 <ipaddress> [486]DELE start.bat 250
10:59:23 <ipaddress> [486]DELE win.asp 250
10:59:23 <ipaddress> [486]DELE windoof.ASP 250
11:04:31 <ipaddress> [486]QUIT - 257

As you can see, the attacker covered up his/her tracks by deleting any files uploaded. I would like to see exactly what those files contained, though. Is there any way to retrieve these deleted items?

Thanks!

 

[rjs]

Doesn't look good. Based on what was uploaded (then deleted), chances are your server is compromised. So even if you figure out what was done, you couldn't undo it effectively. If you have a backup from before this happened, I don't even know that I would use that, except to restore data. If you restore the SAM or recreate user accounts with the same names/passwords, the hacker probably already has these. Also, if you have the same user names and passwords on other boxes in your network, those may be compromised as well.

 

[CSpannos]

Do you really think that this person got any user names and passwords? Wouldn't the most they could do would be to change an existing account's password, or add a new account (neither of which was done... I don't think)?

ntfs.exe and serv-u.ini are part of some ftp program. I think that the attacker was trying to setup some type of gateway for an attack on another system, using ours to do so.

 

[rjs]

I don't know for sure. If you are sure about the ntfs.exe, kill.exe, etc. then I suppose you are safe. And since he/she did not delete the FTP log file, they obviously were not worried or unable to cover their tracks. I've seen compromised boxes that had user accounts, folders, processes running that you could not see even as administrator. Only after taking the boxes off-line and examining things at a lower level was the hack exposed.

Downloading and cracking the SAM database is, unfortunately not a difficult task.

 

[SgtB]

If you have the time, I'd highly recommend rebuilding the compromised machine. Even if you don't suspect further damage than file deletion. Recover the files from back, and put them on the new, rebuilt, SECURED ftp server.

I'll see your DMCA and raise you a First Amendment.

http://www.anti-dmca.org