First they would hack a machine somewhere on the same LAN and then install a
packet sniffer on that machine. Since FTP is sent in plain text it is very
easy to get someones username and password. (I have seen many webservers
that have been hacked because the administrator has a blank password and
netbios open.) Many times when some gets hacked there machine is used to
hack or sniff ports on other machines so it makes it nearly impossible to
track the person down since most web admins know very little about security
logging and tracking.
----- Original Message -----
From: "Ricardo Villalobos" <[EMAIL PROTECTED]>
To: "CF-Server" <[EMAIL PROTECTED]>
Sent: Tuesday, March 27, 2001 9:34 AM
Subject: RE: hacked and wondering why?
> I've been following this conversation and got some nice tips from you
guys,
> thanks!
>
> I would like to know how hackers can "listen" to TCP/IP ports... What kind
> of tools do they use?
>
> Regards.
>
> Ricardo Villalobos
> Dimasys, Inc.
>
> > -----Original Message-----
> > From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, March 26, 2001 7:15 PM
> > To: CF-Server
> > Subject: RE: hacked and wondering why?
> >
> >
> > > What I don't get is why would someone with full FTP access wreak
> > > having with
> > > a Denial of Service attack pinging Yahoo which everyone knows has
> > > very good
> > > MDA's and routers to turn back unnecessary packets...
> >
> > just because they could, I suppose....
> >
> >
> >
> > > -----Original Message-----
> > > From: Brian Thornton [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, March 26, 2001 7:56 PM
> > > To: CF-Server
> > > Subject: Re: hacked and wondering why?
> > >
> > >
> > > What I don't get is why would someone with full FTP access wreak
> > > having with
> > > a Denial of Service attack pinging Yahoo which everyone knows has
> > > very good
> > > MDA's and routers to turn back unnecessary packets...
> > > ----- Original Message -----
> > > From: "John Cesta - Lists" <[EMAIL PROTECTED]>
> > > To: "CF-Server" <[EMAIL PROTECTED]>
> > > Sent: Monday, March 26, 2001 4:53 PM
> > > Subject: RE: hacked and wondering why?
> > >
> > >
> > > > > They list a number of programs that an intruder might play
> > havoc with,
> > > > > including regedt32.exe, ftp.exe, telnet.exe, ping.exe, etc.
> > Actually,
> > > > > there's probably little reason to even have many of them
> > > installed on a
> > > > > server.
> > > >
> > > > Yea, we just removed most of them.
> > > >
> > > > thanks,
> > > >
> > > > John
> > > >
> > > > > -----Original Message-----
> > > > > From: Jim McAtee [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Monday, March 26, 2001 6:19 PM
> > > > > To: CF-Server
> > > > > Subject: Re: hacked and wondering why?
> > > > >
> > > > >
> > > > > John,
> > > > >
> > > > > Check out Microsoft's technet article "MS Internet
> > Information Server
> > > 4.0
> > > > > Security Checklist", specifically the "Move and ACL Critical
> > > > > Files" section.
> > > > >
> > > > > http://www.microsoft.com/technet/iis/technote/iischeck.asp
> > > > >
> > > > > Here's another article that says the same thing.
> > > > >
> > > > > http://www.microsoft.com/technet/security/datavail.asp
> > > > >
> > > > >
> > > > > "Place all commonly used administrative tools in a special
> > > > > directory out of
> > > > > %systemroot% and ACL them so that only administrators have
> > full access
> > > to
> > > > > these files. For example create a directory called \CommonTools
and
> > > place
> > > > > the following files in there."
> > > > > They list a number of programs that an intruder might play
> > havoc with,
> > > > > including regedt32.exe, ftp.exe, telnet.exe, ping.exe, etc.
> > Actually,
> > > > > there's probably little reason to even have many of them
> > > installed on a
> > > > > server.
> > > > >
> > > > > Jim
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "John Cesta - Lists" <[EMAIL PROTECTED]>
> > > > > To: "CF-Server" <[EMAIL PROTECTED]>
> > > > > Sent: Monday, March 26, 2001 12:57 PM
> > > > > Subject: hacked and wondering why?
> > > > >
> > > > >
> > > > > > On the 24th our ISP pulled the plug on our co-located
> > servers. They
> > > said
> > > > > our
> > > > > > servers were pumping 20 mbs each of data through the network.
Upon
> > > > > > investigation, we found around 20 ping.exe processes
> > running in the
> > > task
> > > > > > manager. As soon as we rebooted, the ping.exe processes
> > > were gone and
> > > > > > everything was fine. The ping processes were pinging
> > yahoo.com BTW.
> > > > > >
> > > > > > One of the network engineers at the center said that he was
> > > > > familiar with
> > > > > > this hack. He said that:
> > > > > >
> > > > > > "There is a program out on the net called Win Management, with
> > > > > it a hacker
> > > > > > can "sneak" into the FTP port (as he explained it, they
> > ride on the
> > > > > > coat-tails of an active FTP user), then they run rsh.exe
> > > and spawn the
> > > > > > ping.exe processes."
> > > > > >
> > > > > > I was wondering if this is in fact an exploit in Serv-u (which
> > > > > we use) or
> > > > > > any FTP server for that matter.
> > > > > >
> > > > > > What we did, anyway, was to change the FTP port from 21
> > to a higher
> > > > > >value.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
