Hacker having fun with my FTP.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

We have an FTP site which we run and until recently it was restricted only
to specified IP addresses via firewall, however, over the past week I removed
those restrictions temporarily to troubleshoot a connectivity issue. During
this time, it seems that a hacker has created some folders in our
inetpub\ftproot folder. These folders have no name, and when I try to delete
them I get the message "Cannot delete file: Cannt read from the source file
or disk."

Any ideas?
 
Pretty scary what happens in a short period of time. Since your computer has
been compromised the best solution would be to rebuilt it with the operating
system installed to a formatted system drive but that is your call. See the
first link below to see if it helps in deleting those folders and you may
also need to try in Safe Mode. Also for Windows 2000 you really want to run
the Microsoft IIS Lockdown/URLscan tool if you have not done so and use MBSA
to check your computer for basic security vulnerabilities such as mussing
critical updates. --- Steve

http://support.microsoft.com/?kbid=320081
http://www.microsoft.com/technet/security/tools/locktool.mspx --- IIS
Lockdown tool
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
 
Andrew said:
Hello,

We have an FTP site which we run and until recently it was restricted only
to specified IP addresses via firewall, however, over the past week I
removed
those restrictions temporarily to troubleshoot a connectivity issue.
During
this time, it seems that a hacker has created some folders in our
inetpub\ftproot folder. These folders have no name, and when I try to
delete
them I get the message "Cannot delete file: Cannt read from the source
file
or disk."
Click to expand...

This is very common and is called "FTP tagging" or "pubstro." It is
generally unsafe to let the anonymous FTP account [for example,
IUSR_computername] have both read and write permissions to any FTP folder.
You should use NTFS permissions to create an Upload folder with write only
permissions [no read] to the anon user, and Download folder with read only
permissions.

One way to often delete the folder is to determine the short 8.3 file name
at the command prompt within Windows using the DIR /X command, then use the
RD command to delete that folder. If that fails, you may have to take
ownership of that folder and grant yourself permissions first.

More info:

http://securityadmin.info/faq.asp#ftpfolder
 
Back
Top