I am running W2kserver and IIS 5.0 with Front Page 2000 extensions installed. I have
(or at least "had") anonymous access (READ only) set up for my FTP service until last
week when I discovered that my rather large hard drive was completely full. I did some
digging around and checked all of my IIS logs in the process. I discovered a ton of
hits such as the log excerpt pasted in below:
04:32:36 xxx.xxx.xxx.xxx [3]USER anonymous 331
04:32:36 xxx.xxx.xxx.xxx [3]PASS [EMAIL PROTECTED] 230
04:38:22 xxx.xxx.xxx.xxx [3]sent
/_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r36
226
04:46:10 xxx.xxx.xxx.xxx [3]sent
/_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r37
226
04:54:02 xxx.xxx.xxx.xxx [3]sent
/_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r38
226
05:01:43 xxx.xxx.xxx.xxx [3]sent
/_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r39
226
05:08:59 xxx.xxx.xxx.xxx [3]sent
/_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r40
226
If you will notice the "/_vti_pvt" folder, this was the case every time this site was
hacked into. According to my logs, this took place over the course of about two weeks
and was hit from several different IP Addresses. The "/_vti_pvt" folder is a Front
Page Extensions folder and it is my guess that this is a vulnerability that has
something to do with Front Page permissions coupled with IIS 5.0 FTP service. Since
then, I have deleted all of the sub folders under the "/_vti_pvt" folder and removed
anonymous access and removed the anonymous user account completely from the file
system permissions as well. I have also set the FTP service to manual and limited
simultaneous FTP connections to one, which will allow me to remotely start the FTP
service and then connect and have me be the only allowed connection during my session.
I have had no such hits since I made these changes.
A colleague of mine had the same exact issue with his home server, but under a
different alias. Does anyone know of such a vulnerability? I would like to be able to
allow anonymous access to my server because it allows me to do a lot of favors for
friends and relatives.
Take care.. happy holidays and thanks in advance,
Rob Edmiston
