Rob These are commonly known in the warez community as "pubs", and you were NOT hacked into, by default it seems that the hidden FPX directories are writeable by anonymous through ftp, and are invisible to the unsuspecting user who doesn't have "show hidden files enabled" disable anonymous access to your site :) this happens every day & there are 1000s of these kinds of sites, dont feel bad, keep the stuff you got & enjoy it :)
X > I am running W2kserver and IIS 5.0 with Front Page 2000 extensions installed. I have (or at least "had") anonymous access (READ only) set up for my FTP service until last week when I discovered that my rather large hard drive was completely full. I did some digging around and checked all of my IIS logs in the process. I discovered a ton of hits such as the log excerpt pasted in below: > > 04:32:36 xxx.xxx.xxx.xxx [3]USER anonymous 331 > 04:32:36 xxx.xxx.xxx.xxx [3]PASS [EMAIL PROTECTED] 230 > 04:38:22 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01 .The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r36 226 > 04:46:10 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01 .The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r37 226 > 04:54:02 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01 .The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r38 226 > 05:01:43 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01 .The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r39 226 > 05:08:59 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.18.01 .The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r40 226 > > If you will notice the "/_vti_pvt" folder, this was the case every time this site was hacked into. According to my logs, this took place over the course of about two weeks and was hit from several different IP Addresses. The "/_vti_pvt" folder is a Front Page Extensions folder and it is my guess that this is a vulnerability that has something to do with Front Page permissions coupled with IIS 5.0 FTP service. Since then, I have deleted all of the sub folders under the "/_vti_pvt" folder and removed anonymous access and removed the anonymous user account completely from the file system permissions as well. I have also set the FTP service to manual and limited simultaneous FTP connections to one, which will allow me to remotely start the FTP service and then connect and have me be the only allowed connection during my session. I have had no such hits since I made these changes. > > A colleague of mine had the same exact issue with his home server, but under a different alias. Does anyone know of such a vulnerability? I would like to be able to allow anonymous access to my server because it allows me to do a lot of favors for friends and relatives. > > Take care.. happy holidays and thanks in advance, > Rob Edmiston
