Figure this one out!! - ftp hack problem!

[tommygunner]

A strange thing happened on my server a while back.

On Windows 2000 Server, I left ftp open (anonymous access) for someone to ftp some script info to my server. I was only going to have it open for a few days, so I didn't think it would be much of a problem.

Anyhow, after a couple of days, I noticed lots of activity. Some nerd was copying stuff over to my ftp folder. I shut down ftp and got rid of this guy but afterwards I noticed that when I tried to delete one of the files he uploaded, I couldn't. What happens is that I select the item to delete and then Windows Explorer Window crashes.

After looking at file, I noticed that it has no permissions set for it. I am not sure how this happened, but maybe when I cut the guy off, the permissions didn't copy over properly. I'm wonder what the best way is to delete this file. I've tried it in Windows & DOS without success. Any ideas?



I modified the title of your post to more accurately reflect your problem, its easier then for others to search and find this post if it contains good information - Phantasm66.

 

[Phantasm66]

Its funny that you should mention that because the other day when I was trying to connect to my own ftp server, I noticed that it was not MS ftp running on the port but war ftp which I did not install.

After some detective work I found the war ftp root directory and its full of crappy porno stuff and the anti virus software starts to go mental because there's like 100 MB of zip files in there which are warez and stuff.

Essentially what's happened is that some little script kiddie dude does not want to host his sicko porn on his own machine in case the jobs bust him, so he runs some 3Xplo1t on your machine and then starts to upload all of this crap there. He then links to your machine from some crap warez site. Machines with static IP addresses are the highest prized.

How this little dude manged to do this I do not know but I restored from a drive image backup, changed all of my passwords, did a windowsupdate.microsoft.com and also ran the baseline security analyser and followed all of its advice.

I had already disabled anonymous ftp but its important to point out to others to do this.

I also made my ftp root directory read only access by default and then emptied it, and instead pointed the various accounts to virtual directories in other locations. Its important to use NTFS so that you can set permissions so that only a specific account can access its respective ftp virtual directories.

The empty ftp root means that if anyone moves up above one level of their virtual directory they get a directory with nothing in it.

Remember that ftp authenticates over the internet using unencrypted ASCII text so that someone can point a network traffic analyser (like windows 2000 network monitor) at your machine and if they are even half way decent at reading the output they could find your password.

don't use the administrative account to connect via ftp and don't use the same password as the admin account for your password for the ftp access account.

a much better system is OpenSSH which is available for most all platforms, and you can get the windows stuff here: http://www.networksimplicity.com/openssh/ this uses strong encrypted authentication and is a much better alternative.

If you are getting files with funny permissions or now permissions, then did you try running a chkdsk on the volume? I think it might turn out that it will fix that. If not I think that the resource kit has a tool for doing all of this. If you install the windows 2000 server resource kit I think you can search the tools and you will find something to help you.

It might be a good idea to follow Thomas's new windows security guide here: https://www.techspot.com/tweaks/windows_security/index.shtml for some good tips on improving the security of your box. Always install some kind of a firewall www.zonelabs.com and keep virus detection software up to date.

i hope you manage to improve your situation and that this doesn't happen to you again.

 

[tommygunner]

undeletable file

Well, I don't think this calls for a complete re-install. The file is only about 200MB.

The thing that I couldn't figure out, is that it this guy wanted to make my ftp folder a warez site, wouldn't he want people to view it?

If someone were to access it, it is not accessible because it doesn't have any permissions.

I will have to try chkdisk. As I remember, I think it stalled and stopped when it got to file. If there is a way of finding exactly what sectors the file is on hard drive, there might be a way I can delete it possibly with the correct program.

As far as security goes, I am aware that anonymous ftp is dangerous. I was too lazy to setup ftp users at the time but only setup ftp users now and shut it down after person is done using it.

 

[Phantasm66]

Re: undeletable file

Originally posted by tommygunner
Well, I don't think this calls for a complete re-install. The file is only about 200MB.

Oh I only did that because I have a series of drive images of my system partitions and I can restore from backup in like 10 minutes.

 

[Mictlantecuhtli]

Re: undeletable file

Originally posted by tommygunner
If someone were to access it, it is not accessible because it doesn't have any permissions.

Maybe not in 2k, but how about in Unix?
(I'm not that familiar with 2k's ftp)

 

[Phantasm66]

2K's ftp is pretty simplistic. there's an ftp root directory which you are taken to if you have no home dir, or virtual directory. the wizard for virtual directory has some simple read and write options but its really NTFS permissions which one would use to effectively control what the user can do. There's a simple management console which is accessed through internet services manager which is in administrative tools. there's also smtp and web services in there as well.

its ok but often i have had connections timeout and stuff, much better luck if the ftp client is using passive mode i have been told.

you get much better systems and the generic ftp that comes with windows (both professional and server) is pretty simple.

 

[Rick]

Uv B33N HaX0r3d!!!

Just kidding.. You are correct hough.. Chances are, someone found a way to gain access to your computer and has probably set up an FTP account. They could even be using your computer has a dump, shell/egg drop.. Or P0rn S3rv3R.

If the other suggest won't help, StormBringer told me awhile back that he was able to delete some files with Norton Wipe Disk that he couldn't delete otherwise.

Wipe Disk is a "data shredder" in case you aren't familiar with it. It is possible that other such programs may have the same result.

 

[pelpa666]

hi i only joined this site to help you with this problem

you have been hit by someone like me who has created a locked directory on your ftp and behind this locked dir the is probabilly a **** load of movies and mp3s and appz

to learn about locked dirs and how to create and delete them look here

hXXp://jtpfxp.net

your server must have ****e security
most of the servers i do this to i dont need to hack

if security is ****e like yours must be all i would need to do is scann ur ip range
go to the above link to find out more

my fav saying is

KEEP YOUR FRIENDS CLOSE AND YOUR ENEMIES EVEN CLOSER

and i am afraid i am the enemy for you guys
nothing personal just business

if you need any more info regarding any such matters and the above site is too complicated or just doesnt cover the matter pm me and i will test your security for you or tell you how to test it yourself

 

[garetjax]

funny

Yes, you can access directories on an FTP Server that has anonymous access open...you can even created locked directories.

Notice: An avid Cmd Shell user in NT, Win2K & WinXP should "know" dir/x. Why you ask because reserved words/naming conventions inside of Explorer will prevent access to them. Now, lets say that they called the folder Com1 which really isn't the named object anyways in reality, the com1 Folder or File is com1~1 (~1 being hidden). FTP Access means that the server does not create direct reserve word directories but, does create a file handle to work with the directory ie (com1~1). Windows Explorer on the other hand does not handle the reserved word naming so eloquently. It will prevent access to the file or folder becuase, it is reserved to Explorer. Here comes DOS/Cmd to the rescue.

In this case the only real way of removal of the folder (files) is to goto a command shell...navigate to the directory.

Now, if you have a billion (52 Directories deep) Folders then you can do a dir *.* /a/s/x/b >file.txt for a bare format of all folders listed....(with their aforementioned deletable short-names. I'm suggested using the file.txt file for a batch execution...

ie replace x:\com1\com2\com3\com1\lpt1\asdlfja__asdf21.xxx (etc) with
del x:\com1\com2\com3\com1\lpt1\asdlfja__asdf21.xxx
rd x:\com1\com2\com3\com1\lpt1
Del the file and remove the directories...for each line.

Now, though tedious this will remove all files and directories...that have been created by a thyroid problematic child that has nothing better to do then find a bunch of action scripts download them and use a port probe to find an ftp server.

Any Questions...feel free to contact me...directly via email...and no I won't offer to resolve your pc questions by remote connecting and port probe your pc...Goto Google and search for a internal app that does a security port probe of your network. Better, yet goto start then run and type gpedit.msc and setup your trusts...

-jax