I agree (unfortunately). I think that I will remove FP ext as well. All they seem to do is cause problems anyway. I have thought about taking an old box and creating an image for it to have IIS5.0 and FP ext and not have it part of my home network and not have anything important on it and just monitor it and experiment with it. See if someone can hack into it, and tear it down and rebuild it and try something different (different combinations of patches and permissions.. etc) if it gets hacked. That may be about the only REAL way to learn (instead of the hard and risky way). ----- Original Message ----- From: "Jean-François Asselin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, November 28, 2001 8:59 AM Subject: RE: FTP Vulnerability via Front Page Extensions?
> Yes, the Frontpage extensions are mostly insecure and have many patches > for various problems. > > Why donèt you create accounts for each of your friends? That way they > can login without enabling anonymous access. > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Monday, November 26, 2001 1:42 PM > > To: [EMAIL PROTECTED] > > Subject: FTP Vulnerability via Front Page Extensions? > > > > > > I am running W2kserver and IIS 5.0 with Front Page 2000 > > extensions installed. I have (or at least "had") anonymous > > access (READ only) set up for my FTP service until last week > > when I discovered that my rather large hard drive was > > completely full. I did some digging around and checked all of > > my IIS logs in the process. I discovered a ton of hits such > > as the log excerpt pasted in below: > > > > 04:32:36 xxx.xxx.xxx.xxx [3]USER anonymous 331 > > 04:32:36 xxx.xxx.xxx.xxx [3]PASS [EMAIL PROTECTED] 230 > > 04:38:22 xxx.xxx.xxx.xxx [3]sent > > /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+ > > team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r36 > > 226 04:46:10 xxx.xxx.xxx.xxx [3]sent > > /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+ > > team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r37 > > 226 04:54:02 xxx.xxx.xxx.xxx [3]sent > > /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+ > > team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r38 > > 226 05:01:43 xxx.xxx.xxx.xxx [3]sent > > /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+ > > team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r39 > > 226 05:08:59 xxx.xxx.xxx.xxx [3]sent > > /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+ > > team/DivX/10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r40 226 > > > > If you will notice the "/_vti_pvt" folder, this was the case > > every time this site was hacked into. According to my logs, > > this took place over the course of about two weeks and was > > hit from several different IP Addresses. The "/_vti_pvt" > > folder is a Front Page Extensions folder and it is my guess > > that this is a vulnerability that has something to do with > > Front Page permissions coupled with IIS 5.0 FTP service. > > Since then, I have deleted all of the sub folders under the > > "/_vti_pvt" folder and removed anonymous access and removed > > the anonymous user account completely from the file system > > permissions as well. I have also set the FTP service to > > manual and limited simultaneous FTP connections to one, which > > will allow me to remotely start the FTP service and then > > connect and have me be the only allowed connection during my > > session. I have had no such hits since I made these changes. > > > > A colleague of mine had the same exact issue with his home > > server, but under a different alias. Does anyone know of such > > a vulnerability? I would like to be able to allow anonymous > > access to my server because it allows me to do a lot of > > favors for friends and relatives. > > > > Take care.. happy holidays and thanks in advance, > > Rob Edmiston > > >
