This happened back when I was a jr sysadmin at a fairly large dotcom. My wife and I were having a party at our house with several of our friends when my cell phone went off. Sure enough, it was the NOC saying that this one web server kept running out of disk space and they couldn't figure out why. The operator had cleared out all the temp files he could find, removed a number of web server logs and some other stuff. Disk space dropped for about 30 minutes and then climbed back up over 90%.
My computer was in the living room, so in the middle of the party I logged into this server and started poking around. First order of business was to figure out where the most disk space was being chewed up. C:\inetpub\ftproot was the culprit. I looked around the file system and found video games, music files, warez, etc all over the place. I checked the FTP config and saw that it was a default setup with no relation to the function of the web server. Anonymous access had full read/write. At this point, I was cracking up and asking people at the party if anyone wanted the latest Britney Spears album. I had 3-4 people crowded around my PC to watch what was going on. I uninstalled the FTP service, cleaned up the disk space and looked at the FTP logs. Sure enough, the server had been idle on FTP for weeks, then got discovered. In 2 days it went from unknown to very popular. It also didn't hurt that there were multiple OC3s coming into the environment. The users of the site must have been having a field day. Wait, I hear people asking, shouldn't the firewall have blocked the FTP connections? Well, not if it is set to allow FTP inbound to all servers. That later got changed too. Anyhow, it was a completely hilarious experience, particularly since I didn't setup the server so my pride wasn't at stake. ;-) On Thu, May 14, 2009 at 12:43 PM, Joshua Wright <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I was working for Johnson & Wales University and we had a Citrix server > running on NT 3.51. I was one of the first people who got a cable-modem > at home from Cox Communications, and it rocked! It rocked so much, > someone else on the LAN discovered my workgroup and host, and connected > to an unprotected share on my Windows 98 machine where he grabbed the > .ica file with a stored password to the Citrix server. He called me at > home to let me know how r00ted I was, after getting my home phone number > from my wife's resume.doc file. > > Yeah, it was pretty painful, but it was my motivator to get into > infosec. "Wow, that sucks, but at the same time, it's so awesome too" > is the best way I can describe it. > > Years later we bumped into each other in Providence, and he told me how > he's been watching my career since he called me that first time. I > thanked him for his help. :) > > - -Josh > > Paul Asadoorian wrote: > > All: > > > > I'd like to start a new thread where we all share our experiences on how > > we got into computer security. Specifically I want to hear about people > > whose boxes got hacked, and sparked a life-long career in infosec. > > > > I may use your story in an upcoming piece I am working on, if I do I > > will contact you off-list for permission and such. > > > > Larry, I know you got a good story here ;) > > > > Thanks! > > > > Cheers, > > Paul > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > > iEYEARECAAYFAkoMZm0ACgkQapC4Te3oxYy3FQCfR0ziVWtWs9aNzRi4+0UbWgEy > uC8An3st451iUrFsaZu1nLEWXN+WU3a7 > =+LQ1 > -----END PGP SIGNATURE----- > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
