RE: STRANGE undeletable directory

[Bunting, Jeff]

Title: Message

That is interesting; I can't seem to be able to create a directory that starts with "com1" by any normal means. -----Original Message----- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 5:16 PM To: NT System Admin Issues Subject: Re: STRANGE undeletable directory Just FYI these log entries are from a Windows 2KS running IIS 5.0   xylog ----- Original Message ----- From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 4:34 PM Subject: RE: STRANGE undeletable directory This is what I was talking about earlier when it was suggested the server was hacked because of the funny directory names.  I was speculating there might be a way to create those directories with the normal permissions given to the anonymous account in a write enabled directory.  The original post about the server with the "aux" directory could very well have been hacked, I just wasn't sure if the presence of those directories in a public FTP folder was enough evidence to jump to that conclusion without looking at the logs.   I did some experimenting and found I can't create the "com1.scanned.by.zog+++/+++/" directory under IIS5.  Perhaps it can be done in IIS4?  I'm running Serv-U FTP on all of the IIS4 machines so I can't test it there.  The "+++COM2" and "null.upload" are legal though and can be deleted by normal means.   On a related note, I've been getting some of the same people connecting to my server, some warez guys from France.  I was watching their activity closely for awhile because they don't have download permissions from the uploads directory yet they continued to upload files which didn't make a lot of sense to me.  I saw attempts at downloading, but nothing to indicate they were successful or coming in by other means, so I've just started banning their ip ranges because I'm tired of cleaning up all of the garbage on the ftp site.   Jeff -----Original Message----- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 3:08 PM To: NT System Admin Issues Subject: Fw: STRANGE undeletable directory OK here is one with the "undeletable" directory. The last one was just plain dirs:   #Fields: time c-ip cs-method cs-uri-stem sc-status 07:53:08 217.128.73.112 [10]USER anonymous 331 07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230 07:53:32 217.128.73.112 [11]USER anonymous 331 07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230 07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257 07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257 07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257              <<NOTICE com1 07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257        <<COM2 07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257                        <<dont know what this null thingy is 07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257 07:56:29 217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257   xylog ----- Original Message ----- From: xylog To: NT System Admin Issues Sent: Thursday, August 16, 2001 2:58 PM Subject: Re: STRANGE undeletable directory I had some bozo do this ^#@& to one of my boxes, here is the log entires:   12:35:46 193.253.37.219 [4]USER anonymous 331 12:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 230 12:35:50 193.253.37.219 [4]MKD 010626143627p 257 12:35:50 193.253.37.219 [4]RMD 010626143627p 250 20:47:30 193.253.37.219 [5]USER anonymous 331 20:47:30 193.253.37.219 [5]PASS [EMAIL PROTECTED] 230 20:47:57 193.253.37.219 [5]MKD /.tmp 257 20:47:59 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan 257 20:48:02 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan/Genetic+SPECIE 257 20:48:04 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan/Genetic+SPECIE/for+DZ 257 20:48:23 193.253.37.219 [5]QUIT - 257   You set the log settings from the IIS management console snap-in in the FTP site properties page.   xylog ----- Original Message ----- From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 1:19 PM Subject: RE: STRANGE undeletable directory What options need to be ticked to record the FTP commands in IIS?  The settings show the same categories as the WWW logs which don't intuitively apply to FTP.    The deaults options just show the name of the file created. -----Original Message----- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 1:10 PM To: NT System Admin Issues Subject: Re: STRANGE undeletable directory Look in your FTP logs you will see exactly the command used to create those dirs.   xylog ----- Original Message ----- From: Bunting, Jeff To: NT System Admin Issues Sent: Thursday, August 16, 2001 12:15 PM Subject: RE: STRANGE undeletable directory Because anonymous users have permission to create directories and this fellow created directories.    I wasn't trying to imply the machine definitely wasn't hacked, but I've seen this question arise before and always in an FTP directory.  I was wondering if there is some way to create these directories with reserved words via normal FTP or HTTP commands.  If there is, then the anonymous user would have permission to create those directories again.   Jeff -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 11:14 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Better question: What would make you assume he didn't? -----Original Message----- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 8:02 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Assuming the machine was configured for anonymous logins, what would make you believe he did anything else he wasn't allowed to do? -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:54 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Of course you still need to rebuild the box now. Who knows what else this guy did to it. -----Original Message----- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 7:37 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Good one didnt think of that going to try it now At 09:36 AM 8/16/2001 -0500, you wrote: can you change attributes from the command line? -----Original Message----- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:17 To: NT System Admin Issues Subject: RE: STRANGE undeletable directory Jup deleting it from the command line gave the same error: The parameter is incorrect At 10:19 AM 8/16/2001 -0400, you wrote: Did you try deleting it from the command line?   -----Original Message----- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 10:13 AM To: NT System Admin Issues Subject: RE: STRANGE undeletable directory I dunno, cant rename cant move can do shit! Very strange At 09:10 AM 8/16/2001 -0500, you wrote: Is it because "Com1"? -----Original Message----- From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 16, 2001 09:03 To: NT System Admin Issues Subject: STRANGE undeletable directory Oke guys i have the following question. A customer has his own w2ks box. Now he asked me to look at his machine because he had a problem I logged in and looked at the problem. The first thing i saw that here was an ftp abuser. So i kicked him out. But when i was going to delete the directories he made I stumbled upon the strangest problem i've ever seen since a long time. He made a map in the login directory that looked like this: pub---         |         Com1--                 |                 Pub----                       |                       Aux                       Aux (yes two times an identical directory) It says "The parameter is incorrect" when i try to delete it. Looked at the settings and everything. Still undeletable. Any ideas guys. Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl ================================================= This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. ================================================= http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl ================================================= This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. ================================================= http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl ================================================= This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. ================================================= http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Met vriendelijke groet, M. Eindhoven NT System Administrator Bevelander Internet Services B.V. Folkstoneweg 10 1118 LM SCHIPHOL Zuidoost Tel : 020 40 53 900 Fax : 020 40 53 910 http://www.bevelander.nl ================================================= This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. ================================================= http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm