This is a really old attack. As you're finding out, they scan for ftp servers that allow anonymous connections then use them as a distributed file sharing system for warez. In your case, for the medal of honor game. When they find some open storage space, they write a long string of directory structures and put segmented files onto your server. Then the location is distributed through the group's communication channels, often an IRC warez bot, and the group's members can then retrieve the files off your system.
FlashFXP is a popular FTP software tool. In and of itself it's not an indicator of an attack or compromise. It's actually a really nice tool. It's commercial though and we're licensed here for a different one, but I'd use it if I had the option. One of the big features that it had before most other FTP software is the ability to do FXP transfers, or server-to-server ftp. http://www.inicom.net/pages/en.ffxp-home.php First thing I'd do is lock down the box. Disable anonymous ftp obviously. If you can, it's probably a good idea to disable FTP entirely and use SFTP instead and only open it to passworded user accounts you know you need. When logging into FTP, your credentials are sent as plain text that anyone can sniff if they try. SFTP is basically FTP that is run over a secure shell connection, encrypting the information much like how SSL works for web pages. Set up right and with a good software client it's exactly like using FTP, just secure. Since I don't know enough about what other risks this might have opened you up to, like IRC bots working on strange ports, I would be inclined to do a wipe and reinstall. It's a sledgehammer instead of a scalpel but I know that my security auditing skills aren't that good so I end up having to resort to drastic measures to make up for my lack of knowledge. Hopefully someone more skilled in such things (Jochem?) might be able to chime in. Good luck. -Kevin On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: > > id rather not mention the name, until i find out what the fuck > is up. > > the ip of the box who up'd the files is > > 85.234.195.20 <http://85.234.195.20> > > i started to notice, some odd directories, but i thought it was > a sysadmin doing something... (69.250.12.29 <http://69.250.12.29> is me) > > 05:58:35 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 > 05:58:36 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 > 05:58:38 69.250.12.29 <http://69.250.12.29> [213]CWD .tag4 250 0 > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 550 > 2 > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 550 > 2 > > and then this cocksucker... > [EMAIL PROTECTED] get the bright idea to download > the files... > > 08:23:34 85.234.195.20 <http://85.234.195.20> [211]closed - 421 121 > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]USER anonymous 331 0 > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]PASS > [EMAIL PROTECTED] 230 0 > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]CWD > > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL PROTECTED]/++[[Bender+scan+- > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 > > and then i think he thought about loggin in with his normal info... > and changed his > identity.... (the guilt got to him.) > > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL PROTECTED]/++[[Bender+scan+- > > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]USER anonymous 331 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]PASS [EMAIL PROTECTED] 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]CWD > > not sure what he is doing here... but he does this to EVERY File. > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.001 350 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.001+./+/250 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.002 350 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.002+./+/250 0 > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.003 350 0 > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.003+./+/250 0 > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.004 350 0 > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.004+./+/250 0 > > then a couple more fucknuts show up... > > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]USER anonymous 331 0 > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]PASS [EMAIL PROTECTED] 0 > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]USER anonymous 331 0 > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]PASS > [EMAIL PROTECTED] 230 0 > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]USER anonymous 331 0 > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]PASS > [EMAIL PROTECTED] 230 0 > > one recurring one though... [EMAIL PROTECTED] > > so. what to do? send complaints? where do i start? > > thanks for any help. > tony > > > On 9/8/05, Cameron Childress <[EMAIL PROTECTED]> wrote: > > On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: > > > do you think someone dropped a game on my box to burn it? > > > > Where is this box hosted? Some of the guys at ACFUG once caught a > > customer support person at Interland surfing porn on their shared > > hosting machine. > > > > Anything is possible. > > > > -Cameron > > > > -- > ....tony > > Tony Weeg > tonyweeg [at] gmail [dot] com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Purchase Captivate from House of Fusion, a Macromedia Authorized Affiliate and support the CF community. http://www.houseoffusion.com/banners/view.cfm?bannerid=52 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:173258 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
