So your new dedicated came from CFdynamics? That sucks...so now I have to make sure too...damn it.
----- Original Message ----- From: "Tony" <[EMAIL PROTECTED]> To: "CF-Community" <[email protected]> Sent: Thursday, September 08, 2005 8:26 AM Subject: Re: help!! > thanks kev. as you can imagine, i had a fun night, looking over the > whole box, it appears this was all through that ftp client, the files > have been whacked, the box has been cleaned, and re-doing it is just > not an option, but i think im good right now, and i have the guys at > the host doing a big once over today too... > > thanks > tony > > On 9/8/05, Kevin Graeme <[EMAIL PROTECTED]> wrote: >> This is a really old attack. As you're finding out, they scan for ftp >> servers that allow anonymous connections then use them as a distributed >> file >> sharing system for warez. In your case, for the medal of honor game. When >> they find some open storage space, they write a long string of directory >> structures and put segmented files onto your server. Then the location is >> distributed through the group's communication channels, often an IRC >> warez >> bot, and the group's members can then retrieve the files off your system. >> >> FlashFXP is a popular FTP software tool. In and of itself it's not an >> indicator of an attack or compromise. It's actually a really nice tool. >> It's >> commercial though and we're licensed here for a different one, but I'd >> use >> it if I had the option. One of the big features that it had before most >> other FTP software is the ability to do FXP transfers, or >> server-to-server >> ftp. >> http://www.inicom.net/pages/en.ffxp-home.php >> >> First thing I'd do is lock down the box. Disable anonymous ftp obviously. >> If >> you can, it's probably a good idea to disable FTP entirely and use SFTP >> instead and only open it to passworded user accounts you know you need. >> When >> logging into FTP, your credentials are sent as plain text that anyone can >> sniff if they try. SFTP is basically FTP that is run over a secure shell >> connection, encrypting the information much like how SSL works for web >> pages. Set up right and with a good software client it's exactly like >> using >> FTP, just secure. >> >> Since I don't know enough about what other risks this might have opened >> you >> up to, like IRC bots working on strange ports, I would be inclined to do >> a >> wipe and reinstall. It's a sledgehammer instead of a scalpel but I know >> that >> my security auditing skills aren't that good so I end up having to resort >> to >> drastic measures to make up for my lack of knowledge. Hopefully someone >> more >> skilled in such things (Jochem?) might be able to chime in. >> >> Good luck. >> >> -Kevin >> >> >> On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: >> > >> > id rather not mention the name, until i find out what the fuck >> > is up. >> > >> > the ip of the box who up'd the files is >> > >> > 85.234.195.20 <http://85.234.195.20> >> > >> > i started to notice, some odd directories, but i thought it was >> > a sysadmin doing something... (69.250.12.29 <http://69.250.12.29> is >> > me) >> > >> > 05:58:35 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 >> > 05:58:36 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 >> > 05:58:38 69.250.12.29 <http://69.250.12.29> [213]CWD .tag4 250 0 >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 >> > 550 >> > 2 >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 >> > 550 >> > 2 >> > >> > and then this cocksucker... >> > [EMAIL PROTECTED] get the bright idea to download >> > the files... >> > >> > 08:23:34 85.234.195.20 <http://85.234.195.20> [211]closed - 421 121 >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]USER anonymous 331 0 >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]PASS >> > [EMAIL PROTECTED] 230 0 >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]CWD >> > >> > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL >> > PROTECTED]/++[[Bender+scan+- >> > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 >> > >> > and then i think he thought about loggin in with his normal info... >> > and changed his >> > identity.... (the guilt got to him.) >> > >> > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL >> > PROTECTED]/++[[Bender+scan+- >> > >> > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]USER anonymous 331 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]PASS >> > [EMAIL PROTECTED] 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]CWD >> > >> > not sure what he is doing here... but he does this to EVERY File. >> > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.001 350 >> > 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO >> > MOHDAEF.001+./+/250 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.002 350 >> > 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO >> > MOHDAEF.002+./+/250 0 >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.003 350 >> > 0 >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO >> > MOHDAEF.003+./+/250 0 >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.004 350 >> > 0 >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO >> > MOHDAEF.004+./+/250 0 >> > >> > then a couple more fucknuts show up... >> > >> > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]USER anonymous 331 >> > 0 >> > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]PASS >> > [EMAIL PROTECTED] 0 >> > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]USER anonymous 331 0 >> > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]PASS >> > [EMAIL PROTECTED] 230 0 >> > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]USER anonymous 331 0 >> > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]PASS >> > [EMAIL PROTECTED] 230 0 >> > >> > one recurring one though... [EMAIL PROTECTED] >> > >> > so. what to do? send complaints? where do i start? >> > >> > thanks for any help. >> > tony >> > >> > >> > On 9/8/05, Cameron Childress <[EMAIL PROTECTED]> wrote: >> > > On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: >> > > > do you think someone dropped a game on my box to burn it? >> > > >> > > Where is this box hosted? Some of the guys at ACFUG once caught a >> > > customer support person at Interland surfing porn on their shared >> > > hosting machine. >> > > >> > > Anything is possible. >> > > >> > > -Cameron >> > > >> > >> > -- >> > ....tony >> > >> > Tony Weeg >> > tonyweeg [at] gmail [dot] com >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:173262 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
