headers
Mike Arnold | 2 Jan 2003 00:01
Picon

Re: MS IIS 5 server is hacked leaving undeletable folders and files

On Tuesday 31 December 2002 4:54 pm, Don Phillipe wrote:
> I have a small server I use for my home business and use it mainly for
> anyone who needs to send a large file that will not go through email.  I
> have an anonymous UPLOAD FTP account that I open up to receive these.  From
> time to time I forget and leave this open (I know this is stupid but I
> thought I could just erase anything that was put there because the small
> drive would fill up real soon).  However, I see someone has hacked into my
> server and put a bunch of trash that I cannot delete because when I try to
> delete it, Windows 2K says "cannot find the specified file".   I have spent
> 2 days researching this and cannot find any reference of how to correct
> this.   I did find some reference to looking at the security tab for these
> files but the security tab is missing!  I found some tools which are
> supposed to set owners for files and they don't work on these files.   Here
> is the log from where the hacker attacked below.  Any help would be
> appreciated.  I don't want to have to rebuild my server if possible:

If you have access to a linux bootable cd/floppy you can delete it in that. 
Must have NTFS support though.

I have done this before using this technique, took 2 minutes.

Cheers

--

-- 
	By three methods we may learn wisdom: 
		First, by reflection, which is noblest; 
		Second, by imitation, which is easiest; 
		and third by experience, which is the bitterest. 

			--Confucius
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rob Bernabe' | 1 Jan 2003 19:54
Picon
Favicon

Re: Where can i find a complete list of ip's and countries ou network ?

You can use the whois command to search for IP
addresses:

whois -h whois.arin.net <hostname here> or <company
name here>

This will give you the allocated IP addresses given by
ARIN for a specific organization. You can do a reverse
lookup also by using the IP address in the <hostname>
area and the company's name and allocated IP's will
get returned.

I dont think that countries are given blocks of IP's,
rather companies buy them.  So .co.jp (japanese) sites
can have a subnet under its american branch company.
Rob

PS - this is for a unix box, if u have any other OS,
they have web based tools available.
(http://www.arin.net)
--- Meritt James <meritt_james <at> bah.com> wrote:
> You may very well be out of luck.  Due to the
> dynamic nature of all the
> IPs (and the associated administrative difficulties
> - it was a real paid
> a decade and a half or so ago when we had to do
> that!) and the immense
> number of systems, we shifted to name servers years
> ago.  You may wish
> to try:
(Continue reading)

Permalink | Reply | 0 comments |
headers
stefmit | 2 Jan 2003 16:33

OOPS! Re: MS IIS 5 server is hacked leaving undeletable folders and files

OOPS - forgot the article number:

http://online.securityfocus.com/archive/88/193227

On Tuesday 31 December 2002 10:54 am, Don Phillipe wrote:
> I have a small server I use for my home business and use it mainly for
> anyone who needs to send a large file that will not go through email.  I
> have an anonymous UPLOAD FTP account that I open up to receive these.  From
> time to time I forget and leave this open (I know this is stupid but I
> thought I could just erase anything that was put there because the small
> drive would fill up real soon).  However, I see someone has hacked into my
> server and put a bunch of trash that I cannot delete because when I try to
> delete it, Windows 2K says "cannot find the specified file".   I have spent
> 2 days researching this and cannot find any reference of how to correct
> this.   I did find some reference to looking at the security tab for these
> files but the security tab is missing!  I found some tools which are
> supposed to set owners for files and they don't work on these files.   Here
> is the log from where the hacker attacked below.  Any help would be
> appreciated.  I don't want to have to rebuild my server if possible:
Permalink | Reply | 0 comments |
headers
scott | 2 Jan 2003 17:38

remote desktop question

hi,

this might be a stupid question but, is there any encryption used with 
remote desktop.  also, if there is not is there any products (free or low 
cost) that i can use to protect my remote desktop connections, such as vpn, 
and what is the best way to set it up?

thanks

Scott
Permalink | Reply | 7 comments |
headers
Jimmy Sansi | 2 Jan 2003 19:06

RE: MS IIS 5 server is hacked leaving undeletable folders and files

It seems you have found out the problems with running an
'open' FTP server. It sounds like you may be running FAT instead
of NTFS, which would not be recomended especially for a machine
accessible to the outside world.

I would suggest that you set the permissions on the FTP directories
and remove anonymous access, or use a different account name
for anonymous type logons. Going a step further you could create
a virtual directory(use a unique name, 'incoming' or 'upload' are
to easily guessed) for uploading files. Its not 100%, but
the slight inconvienence would save you from trivial exploits.

Cheers,
-Jimmy

-----Original Message-----
From: Don Phillipe [mailto:donphillipe <at> hotmail.com]
Sent: Tuesday, December 31, 2002 11:44 AM
To: security-basics <at> securityfocus.com
Subject: MS IIS 5 server is hacked leaving undeletable folders and files

I have a small server I use for my home business and use it mainly for
anyone who needs to send a large file that will not go through email.  I
have an anonymous UPLOAD FTP account that I open up to receive these.  From
time to time I forget and leave this open (I know this is stupid but I
thought I could just erase anything that was put there because the small
drive would fill up real soon).  However, I see someone has hacked into my
server and put a bunch of trash that I cannot delete because when I try to
delete it, Windows 2K says "cannot find the specified file".   I have spent
2 days researching this and cannot find any reference of how to correct
(Continue reading)

Permalink | Reply | 0 comments |
headers
Devdas Bhagat | 2 Jan 2003 19:29
Picon

Re: remote desktop question

On 02/01/03 11:38 -0500, scott wrote:
> this might be a stupid question but, is there any encryption used with 
> remote desktop.  also, if there is not is there any products (free or low 
> cost) that i can use to protect my remote desktop connections, such as vpn, 
> and what is the best way to set it up?
vnc + (ssh|stunnel|zeebeedee)
Linux => www.freeswan.org
OpenBSD has crypto support built in by default.

Devdas Bhagat
Permalink | Reply | 0 comments |
headers
Stacy Olivas | 2 Jan 2003 19:33

RE: remote desktop question

Whenever I use Terminal Services (a.k.a Remote Desktop) I establish an ssh
session and use the port forwarding feature
to tunnel the ts session thru.

-----Original Message-----
From: scott [mailto:scottslists <at> barringtonlibrary.org]
Sent: Thursday, January 02, 2003 5:38 PM
To: security-basics <at> securityfocus.com
Subject: remote desktop question

hi,

this might be a stupid question but, is there any encryption used with
remote desktop.  also, if there is not is there any products (free or low
cost) that i can use to protect my remote desktop connections, such as vpn,
and what is the best way to set it up?

thanks

Scott
Permalink | Reply | 2 comments |
headers
Jason Kohles | 2 Jan 2003 17:02
Picon
Favicon

Re: Strange log entries

On Fri, 2002-12-20 at 12:45, Mike Heitz wrote:
> I've run across a couple log entries on my OWA server. I'm pretty new to
> security (about a decade as a network admin, now taking on more and more
> responsibility) and have Googled the Propfind command... only a handful
> of results (including a MS Whitepaper I am currently reading).
> 
> Does anyone know what this is exactly? We do not have Instant Messaging
> enabled on the server... my main concern is that the Username that was
> listed was my own!!! I've used Visual Route to trace the IP addresses
> back with marginal success (one got lost after a bunch of hops and the
> other ended up in Pittsburgh, PA).
> 
It's the microsoft instant messenger trying to find information about
you, it's mostly harmless.  The reason that it contains your username is
that it's based on email address, so to find IM details for
bob <at> somewhere.com, it does a PROPFIND on the url
http://somewhere.com/instmsg/aliases/bob.

All it means is someone got email from you, and looked to see if you had
compatible instant messaging as well (their mail clients may even do
this check automatically, I'm not sure).

> Any ideas or info would be greatly appreciated. Thanks!
> 
> 2002-12-19 17:35:28 65.119.193.141 - 192.168.43.17 80 PROPFIND
> /instmsg/aliases/≤username> - 404 -
> 
> then a short time later
> 
> 2002-12-19 20:54:13 141.189.251.1 - 192.168.43.17 80 PROPFIND
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jimmy Sansi | 2 Jan 2003 19:47

RE: remote desktop question

SSH tunneling is a nice way of creating an encrypted tunnel.
Essentially with an SSH client program you setup the tunneling
rules and then authenticate and logon to the remote SSH host.
After establishing the connection you can use any of your existing
programs to tunnel inside the SSH session.

It requires a bit of setup but works very nicely and is relatively
'secure' from end to end. Best of all there are free or open
source programs to accomplish this. Just remember that encrypted
communication does not replace good security practices for keeping
the host machines patched and plugged.

www.openssh.org
www.chiark.greenend.org.uk/~sgtatham/putty/
http://hp.vector.co.jp/authors/VA002416/teraterm.html

-Jimmy

-----Original Message-----
From: scott [mailto:scottslists <at> barringtonlibrary.org]
Sent: Thursday, January 02, 2003 10:28 AM
To: security-basics <at> securityfocus.com
Subject: remote desktop question

hi,

this might be a stupid question but, is there any encryption used with
remote desktop.  also, if there is not is there any products (free or low
cost) that i can use to protect my remote desktop connections, such as vpn,
and what is the best way to set it up?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jason Harris | 2 Jan 2003 22:29

RE: remote desktop question

If setting up a terminal server with Win2k and you want 128bit then you'll
have to manually set that up through terminal services configuration under
the properties of the RDP-Tcp connections. The encryption level by default is
at medium (56-bit). You'll also need 128bit support in the OS. As a note, if
you've made TS client disks before setting the encryption level to high
you'll need to recreate the client disks in order for them to work with high
encryption.  It seems that the remote desktop client that comes with XP can
automatically go between. 

-----Original Message-----
From: Elmar Klügel [mailto:ekluegel <at> web.de] 
Sent: Thursday, January 02, 2003 12:58 PM
To: security-basics <at> securityfocus.com
Cc: Stacy Olivas; scottslists <at> barringtonlibrary.org
Subject: Re: remote desktop question

Am Donnerstag, 2. Januar 2003 19:33 schrieb Stacy Olivas:
The rdp 4/5 (Microsoft) and ICA (Citrix) protocol are encryptet by design.

See an overview about ICA and RDP:

http://www.microsoft.com/windows2000/server/evaluation/features/rdp.asp

> Whenever I use Terminal Services (a.k.a Remote Desktop) I establish an ssh
> session and use the port forwarding feature
> to tunnel the ts session thru.
>
>
> -----Original Message-----
> From: scott [mailto:scottslists <at> barringtonlibrary.org]
(Continue reading)

Permalink | Reply | 0 comments |

Gmane