md \\.\c:\com1
to remove:
rd \\.\c:\com1
-----Original Message-----
From: Bunting, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 17, 2001 9:36 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
That is interesting; I can't seem to be able to create a directory that
starts with "com1" by any normal means.
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 5:16 PM
To: NT System Admin Issues
Subject: Re: STRANGE undeletable directory
Just FYI these log entries are from a Windows 2KS running IIS 5.0
xylog
----- Original Message -----
From: Bunting, Jeff
To: NT System Admin Issues
Sent: Thursday, August 16, 2001 4:34 PM
Subject: RE: STRANGE undeletable directory
This is what I was talking about earlier when it was suggested the server
was hacked because of the funny directory names. I was speculating there
might be a way to create those directories with the normal permissions given
to the anonymous account in a write enabled directory. The original post
about the server with the "aux" directory could very well have been hacked,
I just wasn't sure if the presence of those directories in a public FTP
folder was enough evidence to jump to that conclusion without looking at the
logs.
I did some experimenting and found I can't create the
"com1.scanned.by.zog+++/+++/" directory under IIS5. Perhaps it can be done
in IIS4? I'm running Serv-U FTP on all of the IIS4 machines so I can't test
it there. The "+++COM2" and "null.upload" are legal though and can be
deleted by normal means.
On a related note, I've been getting some of the same people connecting to
my server, some warez guys from France. I was watching their activity
closely for awhile because they don't have download permissions from the
uploads directory yet they continued to upload files which didn't make a lot
of sense to me. I saw attempts at downloading, but nothing to indicate they
were successful or coming in by other means, so I've just started banning
their ip ranges because I'm tired of cleaning up all of the garbage on the
ftp site.
Jeff
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 3:08 PM
To: NT System Admin Issues
Subject: Fw: STRANGE undeletable directory
OK here is one with the "undeletable" directory. The last one was just plain
dirs:
#Fields: time c-ip cs-method cs-uri-stem sc-status
07:53:08 217.128.73.112 [10]USER anonymous 331
07:53:08 217.128.73.112 [10]PASS [EMAIL PROTECTED] 230
07:53:32 217.128.73.112 [11]USER anonymous 331
07:53:32 217.128.73.112 [11]PASS [EMAIL PROTECTED] 230
07:54:29 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++/ 257
07:54:42 217.128.73.112 [11]MKD Tagged+By+Gru+++/+++Board/ 257
07:55:14 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++/ 257
<<NOTICE com1
07:55:31 217.128.73.112 [11]MKD com1.scanned.by.zog+++/+++COM2/ 257
<<COM2
07:55:54 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++/ 257
<<dont know what this null thingy is
07:56:11 217.128.73.112 [11]MKD null.upload.by.derfy+++/+++COM1/ 257
07:56:29 217.128.73.112 [11]MKD 07.27.01Reel_Fishing_Wild_DC-ECHELON 257
xylog
----- Original Message -----
From: xylog
To: NT System Admin Issues
Sent: Thursday, August 16, 2001 2:58 PM
Subject: Re: STRANGE undeletable directory
I had some bozo do this ^#@& to one of my boxes, here is the log entires:
12:35:46 193.253.37.219 [4]USER anonymous 331
12:35:46 193.253.37.219 [4]PASS [EMAIL PROTECTED] 230
12:35:50 193.253.37.219 [4]MKD 010626143627p 257
12:35:50 193.253.37.219 [4]RMD 010626143627p 250
20:47:30 193.253.37.219 [5]USER anonymous 331
20:47:30 193.253.37.219 [5]PASS [EMAIL PROTECTED] 230
20:47:57 193.253.37.219 [5]MKD /.tmp 257
20:47:59 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan 257
20:48:02 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan/Genetic+SPECIE 257
20:48:04 193.253.37.219 [5]MKD /.tmp/Tag+&+Scan/Genetic+SPECIE/for+DZ 257
20:48:23 193.253.37.219 [5]QUIT - 257
You set the log settings from the IIS management console snap-in in the FTP
site properties page.
xylog
----- Original Message -----
From: Bunting, Jeff
To: NT System Admin Issues
Sent: Thursday, August 16, 2001 1:19 PM
Subject: RE: STRANGE undeletable directory
What options need to be ticked to record the FTP commands in IIS? The
settings show the same categories as the WWW logs which don't intuitively
apply to FTP.
The deaults options just show the name of the file created.
-----Original Message-----
From: xylog [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 1:10 PM
To: NT System Admin Issues
Subject: Re: STRANGE undeletable directory
Look in your FTP logs you will see exactly the command used to create those
dirs.
xylog
----- Original Message -----
From: Bunting, Jeff
To: NT System Admin Issues
Sent: Thursday, August 16, 2001 12:15 PM
Subject: RE: STRANGE undeletable directory
Because anonymous users have permission to create directories and this
fellow created directories.
I wasn't trying to imply the machine definitely wasn't hacked, but I've seen
this question arise before and always in an FTP directory. I was wondering
if there is some way to create these directories with reserved words via
normal FTP or HTTP commands. If there is, then the anonymous user would
have permission to create those directories again.
Jeff
-----Original Message-----
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 11:14 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
Better question:
What would make you assume he didn't?
-----Original Message-----
From: Bunting, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 8:02 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
Assuming the machine was configured for anonymous logins, what would make
you believe he did anything else he wasn't allowed to do?
-----Original Message-----
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 10:54 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
Of course you still need to rebuild the box now.
Who knows what else this guy did to it.
-----Original Message-----
From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 7:37 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
Good one didnt think of that
going to try it now
At 09:36 AM 8/16/2001 -0500, you wrote:
can you change attributes from the command line?
-----Original Message-----
From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 09:17
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
Jup deleting it from the command line gave the same error: The parameter is
incorrect
At 10:19 AM 8/16/2001 -0400, you wrote:
Did you try deleting it from the command line?
-----Original Message-----
From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 10:13 AM
To: NT System Admin Issues
Subject: RE: STRANGE undeletable directory
I dunno, cant rename cant move can do shit!
Very strange
At 09:10 AM 8/16/2001 -0500, you wrote:
Is it because "Com1"?
-----Original Message-----
From: Martijn Eindhoven [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 09:03
To: NT System Admin Issues
Subject: STRANGE undeletable directory
Oke guys i have the following question.
A customer has his own w2ks box. Now he asked me to look at his machine
because he had a problem
I logged in and looked at the problem. The first thing i saw that here was
an ftp abuser. So i kicked him out.
But when i was going to delete the directories he made I stumbled upon the
strangest problem i've ever seen since a long
time.
He made a map in the login directory that looked like this:
pub---
|
Com1--
|
Pub----
|
Aux
Aux (yes two times an identical directory)
It says "The parameter is incorrect" when i try to delete it. Looked at the
settings and everything. Still undeletable.
Any ideas guys.
Met vriendelijke groet,
M. Eindhoven
NT System Administrator
Bevelander Internet Services B.V.
Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost
Tel : 020 40 53 900
Fax : 020 40 53 910
http://www.bevelander.nl
=================================================
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s),
please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited.
If you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.
=================================================
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Met vriendelijke groet,
M. Eindhoven
NT System Administrator
Bevelander Internet Services B.V.
Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost
Tel : 020 40 53 900
Fax : 020 40 53 910
http://www.bevelander.nl
=================================================
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s),
please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited.
If you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.
=================================================
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Met vriendelijke groet,
M. Eindhoven
NT System Administrator
Bevelander Internet Services B.V.
Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost
Tel : 020 40 53 900
Fax : 020 40 53 910
http://www.bevelander.nl
=================================================
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s),
please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited.
If you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.
=================================================
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Met vriendelijke groet,
M. Eindhoven
NT System Administrator
Bevelander Internet Services B.V.
Folkstoneweg 10
1118 LM SCHIPHOL Zuidoost
Tel : 020 40 53 900
Fax : 020 40 53 910
http://www.bevelander.nl
=================================================
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s),
please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited.
If you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.
=================================================
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
