> Was your FTP root on the OS partion? If so it is possible
No, it's not.
Thanks,
John
> -----Original Message-----
> From: Steve [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 26, 2001 6:29 PM
> To: CF-Server
> Subject: Re: hacked and wondering why?
>
>
> Was your FTP root on the OS partion? If so it is possible
> ----- Original Message -----
> From: "Dave Watts" <[EMAIL PROTECTED]>
> To: "CF-Server" <[EMAIL PROTECTED]>
> Sent: Monday, March 26, 2001 5:47 PM
> Subject: RE: hacked and wondering why?
>
>
> > > On the 24th our ISP pulled the plug on our co-located servers.
> > > They said our servers were pumping 20 mbs each of data through
> > > the network. Upon investigation, we found around 20 ping.exe
> > > processes running in the task manager. As soon as we rebooted,
> > > the ping.exe processes were gone and everything was fine. The
> > > ping processes were pinging yahoo.com BTW.
> > >
> > > One of the network engineers at the center said that he was
> > > familiar with this hack. He said that:
> > >
> > > "There is a program out on the net called Win Management, with
> > > it a hacker can "sneak" into the FTP port (as he explained it,
> > > they ride on the coat-tails of an active FTP user), then they
> > > run rsh.exe and spawn the ping.exe processes."
> > >
> > > I was wondering if this is in fact an exploit in Serv-u (which
> > > we use) or any FTP server for that matter.
> > >
> > > What we did, anyway, was to change the FTP port from 21 to a
> > > higher value.
> > >
> > > Does any one know if the network engineer's assessment of this
> > > hack is accurate or not?
> >
> > While this isn't my area of expertise, it sounds a bit fishy to me.
> >
> > First of all, it seems odd that a program could "sneak into the
> FTP port".
> > While TCP hijacking is possible, it's more likely that the
> hijacker would
> > simply record FTP usernames and passwords, then connect later. Also, to
> run
> > rsh against your server, that server has to be running the remote shell
> > service (rshsvc), which you wouldn't install on a
> publicly-accessible web
> > server, so they'd have to upload the service binaries, then get them
> > installed. To install a service requires administrator privileges, so
> they'd
> > have to get an admin username and password from reading the FTP traffic,
> or
> > by getting some other process to do the installation, such as the at
> > service. That's a lot of work just to run twenty copies of ping.
> >
> > Second, I couldn't find any mention of either "Win Management" or the
> > described hack in searches against securityfocus.com or other big lists.
> >
> > Nevertheless, I suppose that something happened to get all those ping
> > instances going. And, of course, I'm a programmer, not a network or
> security
> > engineer, so who knows what's possible?
> >
> > Changing the FTP port probably won't help much; it's easy enough to scan
> the
> > machines to find the listening ports, and if someone's already
> got remote
> > shell access, they don't need FTP anymore. You'll need to
> thoroughly clean
> > the machines to ensure that there aren't any backdoors. When
> you do that,
> > you might decide against allowing people to upload executable
> content via
> > FTP.
> >
> > I'd certainly be interested in hearing more as you learn about it.
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
