Re: hacked and wondering why?

Mon, 26 Mar 2001 15:18:46 -0800 

John,

Check out Microsoft's technet article "MS Internet Information Server 4.0
Security Checklist", specifically the "Move and ACL Critical Files" section.

http://www.microsoft.com/technet/iis/technote/iischeck.asp

Here's another article that says the same thing.

http://www.microsoft.com/technet/security/datavail.asp


"Place all commonly used administrative tools in a special directory out of
%systemroot% and ACL them so that only administrators have full access to
these files. For example create a directory called \CommonTools and place
the following files in there."
They list a number of programs that an intruder might play havoc with,
including regedt32.exe, ftp.exe, telnet.exe, ping.exe, etc.  Actually,
there's probably little reason to even have many of them installed on a
server.

Jim


----- Original Message -----
From: "John Cesta - Lists" <[EMAIL PROTECTED]>
To: "CF-Server" <[EMAIL PROTECTED]>
Sent: Monday, March 26, 2001 12:57 PM
Subject: hacked and wondering why?


> On the 24th our ISP pulled the plug on our co-located servers. They said
our
> servers were pumping 20 mbs each of data through the network. Upon
> investigation, we found around 20 ping.exe processes running in the task
> manager. As soon as we rebooted, the ping.exe processes were gone and
> everything was fine. The ping processes were pinging yahoo.com BTW.
>
> One of the network engineers at the center said that he was familiar with
> this hack. He said that:
>
> "There is a program out on the net called Win Management, with it a hacker
> can "sneak" into the FTP port (as he explained it, they ride on the
> coat-tails of an active FTP user), then they run rsh.exe and spawn the
> ping.exe processes."
>
> I was wondering if this is in fact an exploit in Serv-u (which we use) or
> any FTP server for that matter.
>
> What we did, anyway, was to change the FTP port from 21 to a higher
>value.




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with 
'unsubscribe' in the body or visit the list page at www.houseoffusion.com

Reply via email to