Was your FTP root on the OS partion? If so it is possible
----- Original Message -----
From: "Dave Watts" <[EMAIL PROTECTED]>
To: "CF-Server" <[EMAIL PROTECTED]>
Sent: Monday, March 26, 2001 5:47 PM
Subject: RE: hacked and wondering why?
> > On the 24th our ISP pulled the plug on our co-located servers.
> > They said our servers were pumping 20 mbs each of data through
> > the network. Upon investigation, we found around 20 ping.exe
> > processes running in the task manager. As soon as we rebooted,
> > the ping.exe processes were gone and everything was fine. The
> > ping processes were pinging yahoo.com BTW.
> >
> > One of the network engineers at the center said that he was
> > familiar with this hack. He said that:
> >
> > "There is a program out on the net called Win Management, with
> > it a hacker can "sneak" into the FTP port (as he explained it,
> > they ride on the coat-tails of an active FTP user), then they
> > run rsh.exe and spawn the ping.exe processes."
> >
> > I was wondering if this is in fact an exploit in Serv-u (which
> > we use) or any FTP server for that matter.
> >
> > What we did, anyway, was to change the FTP port from 21 to a
> > higher value.
> >
> > Does any one know if the network engineer's assessment of this
> > hack is accurate or not?
>
> While this isn't my area of expertise, it sounds a bit fishy to me.
>
> First of all, it seems odd that a program could "sneak into the FTP port".
> While TCP hijacking is possible, it's more likely that the hijacker would
> simply record FTP usernames and passwords, then connect later. Also, to
run
> rsh against your server, that server has to be running the remote shell
> service (rshsvc), which you wouldn't install on a publicly-accessible web
> server, so they'd have to upload the service binaries, then get them
> installed. To install a service requires administrator privileges, so
they'd
> have to get an admin username and password from reading the FTP traffic,
or
> by getting some other process to do the installation, such as the at
> service. That's a lot of work just to run twenty copies of ping.
>
> Second, I couldn't find any mention of either "Win Management" or the
> described hack in searches against securityfocus.com or other big lists.
>
> Nevertheless, I suppose that something happened to get all those ping
> instances going. And, of course, I'm a programmer, not a network or
security
> engineer, so who knows what's possible?
>
> Changing the FTP port probably won't help much; it's easy enough to scan
the
> machines to find the listening ports, and if someone's already got remote
> shell access, they don't need FTP anymore. You'll need to thoroughly clean
> the machines to ensure that there aren't any backdoors. When you do that,
> you might decide against allowing people to upload executable content via
> FTP.
>
> I'd certainly be interested in hearing more as you learn about it.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
