Thursday, April 28, 2005

FTP Compromised

Well I've allowed myself to be hacked. Damn that's disappointing. I've not been paying close enough attention. Interestingly I discovered the problem investigating why my website was so slow and my FTP access was messed up.

Hackers or Crackers, whatever, these warez people, create folders to upload and download illegal software, music and movies. I ended up with a number of directories that I could not easily remove. You hackers know what I'm talking about, using high ascii characters to and reserved names to make it difficult to remove them.

Here is the way to remove these directories if you run across them.

  1. Stop your FTP service or IIS entirely.
  2. Open up a command prompt (Start, Run, type CMD and hit enter)
  3. Navigate to your FTP directory using the CD command. (example: cd C:\ftproot\files)
  4. Once there if you do a standard DIR command it'll show the invalid directories but with thier long file name with invalid characters. You won't be able to delete it with Windows Explorer.
  5. Instead of DIR, try DIR /X. This will force the DIR command to include the old 8.3 file name, often something like bignam~1.
  6. Now you can use the RD command (remove directory), but it also requires a couple of switches to work properly. If you do not Windows will tell you the directory is not empty. So the command is RD /Q /S foldername. Using the example folder name above the command would be RD /Q /S bignam~1. Depending on how much junk was loaded into those folders it may take a few seconds for the command line to return, but once it does the folder is gone.
  7. Repeat for all hacker folders. Be sure to look through all your legitimate folders. They'll sometimes hide them.
  8. Run the IIS Lockdown tool from Microsoft. It'll help make your system more secure.
  9. Once it is done confirm that you do not have anonymous access to your FTP server or make certain that write access is not allowed. If you need to allow write access and also allow anonymous download only access, you'll need to setup two FTP servers. One that is your locked down one and one that is for anonymous access. I personally disallow anonymous access.

So how did I get caught? Well I'm not entirely certain but I suspect it had to do with a recent move of my server. I had the whole site on a different drive and then had to move it because of an upgrade.

Am I certain I'm safe? No not entirely, but you can bet I'll be blocking some IPs at the firewall.

Do I hate the people who did this? No, but they are irritating, however I put myself in this boat by not being diligent. Anyone who puts a server on the Internet needs to remain viligent. This was my mistake and hopefully the steps I took will prevent further access. If not, my FTP server may just have to be turned off completely, or only on when I need to use it. Either would be a lot safer.

As is said from time to time by security experts and hackers. The only way your PC is 100% safe is to unplug it from the Internet. Some go as far as to say unplugging it from the wall (turned off), but that's a bit extream.

I hope the steps above help others, but the bottom line is that if you use IIS you have to be careful.

Keywords: IIS, FTP, Hacker, directory, com1, lpt, tagged, upped, high ascii, invisible characters, warez

SCREEN SHOTS (removed 12/05/2006)

No comments: