Looks as if someone was using your server as a pub -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 6:42 PM To: [EMAIL PROTECTED] Subject: FTP Vulnerability via Front Page Extensions?
I am running W2kserver and IIS 5.0 with Front Page 2000 extensions installed. I have (or at least "had") anonymous access (READ only) set up for my FTP service until last week when I discovered that my rather large hard drive was completely full. I did some digging around and checked all of my IIS logs in the process. I discovered a ton of hits such as the log excerpt pasted in below: 04:32:36 xxx.xxx.xxx.xxx [3]USER anonymous 331 04:32:36 xxx.xxx.xxx.xxx [3]PASS [EMAIL PROTECTED] 230 04:38:22 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/ 10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r36 226 04:46:10 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/ 10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r37 226 04:54:02 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/ 10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r38 226 05:01:43 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/ 10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r39 226 05:08:59 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/ 10.18.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r40 226 If you will notice the "/_vti_pvt" folder, this was the case every time this site was hacked into. According to my logs, this took place over the course of about two weeks and was hit from several different IP Addresses. The "/_vti_pvt" folder is a Front Page Extensions folder and it is my guess that this is a vulnerability that has something to do with Front Page permissions coupled with IIS 5.0 FTP service. Since then, I have deleted all of the sub folders under the "/_vti_pvt" folder and removed anonymous access and removed the anonymous user account completely from the file system permissions as well. I have also set the FTP service to manual and limited simultaneous FTP connections to one, which will allow me to remotely start the FTP service and then connect and have me be the only allowed connection during my session. I have had no such hits since I made these changes. A colleague of mine had the same exact issue with his home server, but under a different alias. Does anyone know of such a vulnerability? I would like to be able to allow anonymous access to my server because it allows me to do a lot of favors for friends and relatives. Take care.. happy holidays and thanks in advance, Rob Edmiston
