thanks kev. as you can imagine, i had a fun night, looking over the whole box, it appears this was all through that ftp client, the files have been whacked, the box has been cleaned, and re-doing it is just not an option, but i think im good right now, and i have the guys at the host doing a big once over today too...
thanks tony On 9/8/05, Kevin Graeme <[EMAIL PROTECTED]> wrote: > This is a really old attack. As you're finding out, they scan for ftp > servers that allow anonymous connections then use them as a distributed file > sharing system for warez. In your case, for the medal of honor game. When > they find some open storage space, they write a long string of directory > structures and put segmented files onto your server. Then the location is > distributed through the group's communication channels, often an IRC warez > bot, and the group's members can then retrieve the files off your system. > > FlashFXP is a popular FTP software tool. In and of itself it's not an > indicator of an attack or compromise. It's actually a really nice tool. It's > commercial though and we're licensed here for a different one, but I'd use > it if I had the option. One of the big features that it had before most > other FTP software is the ability to do FXP transfers, or server-to-server > ftp. > http://www.inicom.net/pages/en.ffxp-home.php > > First thing I'd do is lock down the box. Disable anonymous ftp obviously. If > you can, it's probably a good idea to disable FTP entirely and use SFTP > instead and only open it to passworded user accounts you know you need. When > logging into FTP, your credentials are sent as plain text that anyone can > sniff if they try. SFTP is basically FTP that is run over a secure shell > connection, encrypting the information much like how SSL works for web > pages. Set up right and with a good software client it's exactly like using > FTP, just secure. > > Since I don't know enough about what other risks this might have opened you > up to, like IRC bots working on strange ports, I would be inclined to do a > wipe and reinstall. It's a sledgehammer instead of a scalpel but I know that > my security auditing skills aren't that good so I end up having to resort to > drastic measures to make up for my lack of knowledge. Hopefully someone more > skilled in such things (Jochem?) might be able to chime in. > > Good luck. > > -Kevin > > > On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: > > > > id rather not mention the name, until i find out what the fuck > > is up. > > > > the ip of the box who up'd the files is > > > > 85.234.195.20 <http://85.234.195.20> > > > > i started to notice, some odd directories, but i thought it was > > a sysadmin doing something... (69.250.12.29 <http://69.250.12.29> is me) > > > > 05:58:35 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 > > 05:58:36 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 > > 05:58:38 69.250.12.29 <http://69.250.12.29> [213]CWD .tag4 250 0 > > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 550 > > 2 > > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 550 > > 2 > > > > and then this cocksucker... > > [EMAIL PROTECTED] get the bright idea to download > > the files... > > > > 08:23:34 85.234.195.20 <http://85.234.195.20> [211]closed - 421 121 > > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]USER anonymous 331 0 > > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]PASS > > [EMAIL PROTECTED] 230 0 > > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]CWD > > > > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL > > PROTECTED]/++[[Bender+scan+- > > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 > > > > and then i think he thought about loggin in with his normal info... > > and changed his > > identity.... (the guilt got to him.) > > > > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL > > PROTECTED]/++[[Bender+scan+- > > > > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]USER anonymous 331 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]PASS [EMAIL PROTECTED] 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]CWD > > > > not sure what he is doing here... but he does this to EVERY File. > > > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.001 350 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.001+./+/250 > > 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.002 350 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.002+./+/250 > > 0 > > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.003 350 0 > > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.003+./+/250 > > 0 > > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.004 350 0 > > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO MOHDAEF.004+./+/250 > > 0 > > > > then a couple more fucknuts show up... > > > > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]USER anonymous 331 0 > > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]PASS [EMAIL PROTECTED] > > 0 > > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]USER anonymous 331 0 > > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]PASS > > [EMAIL PROTECTED] 230 0 > > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]USER anonymous 331 0 > > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]PASS > > [EMAIL PROTECTED] 230 0 > > > > one recurring one though... [EMAIL PROTECTED] > > > > so. what to do? send complaints? where do i start? > > > > thanks for any help. > > tony > > > > > > On 9/8/05, Cameron Childress <[EMAIL PROTECTED]> wrote: > > > On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: > > > > do you think someone dropped a game on my box to burn it? > > > > > > Where is this box hosted? Some of the guys at ACFUG once caught a > > > customer support person at Interland surfing porn on their shared > > > hosting machine. > > > > > > Anything is possible. > > > > > > -Cameron > > > > > > > -- > > ....tony > > > > Tony Weeg > > tonyweeg [at] gmail [dot] com > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Protect Your PC from viruses, hackers, spam and more. Buy PC-cillin with Easy Installation & Support http://www.houseoffusion.com/banners/view.cfm?bannerid=61 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:173259 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
