> They list a number of programs that an intruder might play havoc with,
> including regedt32.exe, ftp.exe, telnet.exe, ping.exe, etc. Actually,
> there's probably little reason to even have many of them installed on a
> server.
Yea, we just removed most of them.
thanks,
John
> -----Original Message-----
> From: Jim McAtee [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 26, 2001 6:19 PM
> To: CF-Server
> Subject: Re: hacked and wondering why?
>
>
> John,
>
> Check out Microsoft's technet article "MS Internet Information Server 4.0
> Security Checklist", specifically the "Move and ACL Critical
> Files" section.
>
> http://www.microsoft.com/technet/iis/technote/iischeck.asp
>
> Here's another article that says the same thing.
>
> http://www.microsoft.com/technet/security/datavail.asp
>
>
> "Place all commonly used administrative tools in a special
> directory out of
> %systemroot% and ACL them so that only administrators have full access to
> these files. For example create a directory called \CommonTools and place
> the following files in there."
> They list a number of programs that an intruder might play havoc with,
> including regedt32.exe, ftp.exe, telnet.exe, ping.exe, etc. Actually,
> there's probably little reason to even have many of them installed on a
> server.
>
> Jim
>
>
> ----- Original Message -----
> From: "John Cesta - Lists" <[EMAIL PROTECTED]>
> To: "CF-Server" <[EMAIL PROTECTED]>
> Sent: Monday, March 26, 2001 12:57 PM
> Subject: hacked and wondering why?
>
>
> > On the 24th our ISP pulled the plug on our co-located servers. They said
> our
> > servers were pumping 20 mbs each of data through the network. Upon
> > investigation, we found around 20 ping.exe processes running in the task
> > manager. As soon as we rebooted, the ping.exe processes were gone and
> > everything was fine. The ping processes were pinging yahoo.com BTW.
> >
> > One of the network engineers at the center said that he was
> familiar with
> > this hack. He said that:
> >
> > "There is a program out on the net called Win Management, with
> it a hacker
> > can "sneak" into the FTP port (as he explained it, they ride on the
> > coat-tails of an active FTP user), then they run rsh.exe and spawn the
> > ping.exe processes."
> >
> > I was wondering if this is in fact an exploit in Serv-u (which
> we use) or
> > any FTP server for that matter.
> >
> > What we did, anyway, was to change the FTP port from 21 to a higher
> >value.
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
