it takes 5 minutes to fix it up... and email support... they are quick/good about getting to stuff for me so far. (not to mention i sent them a LARGE basket of goodies!!)
tw On 9/8/05, Matthew Blatchley <[EMAIL PROTECTED]> wrote: > So your new dedicated came from CFdynamics? That sucks...so now I have to > make sure too...damn it. > > ----- Original Message ----- > From: "Tony" <[EMAIL PROTECTED]> > To: "CF-Community" <cf-community@houseoffusion.com> > Sent: Thursday, September 08, 2005 8:26 AM > Subject: Re: help!! > > > > thanks kev. as you can imagine, i had a fun night, looking over the > > whole box, it appears this was all through that ftp client, the files > > have been whacked, the box has been cleaned, and re-doing it is just > > not an option, but i think im good right now, and i have the guys at > > the host doing a big once over today too... > > > > thanks > > tony > > > > On 9/8/05, Kevin Graeme <[EMAIL PROTECTED]> wrote: > >> This is a really old attack. As you're finding out, they scan for ftp > >> servers that allow anonymous connections then use them as a distributed > >> file > >> sharing system for warez. In your case, for the medal of honor game. When > >> they find some open storage space, they write a long string of directory > >> structures and put segmented files onto your server. Then the location is > >> distributed through the group's communication channels, often an IRC > >> warez > >> bot, and the group's members can then retrieve the files off your system. > >> > >> FlashFXP is a popular FTP software tool. In and of itself it's not an > >> indicator of an attack or compromise. It's actually a really nice tool. > >> It's > >> commercial though and we're licensed here for a different one, but I'd > >> use > >> it if I had the option. One of the big features that it had before most > >> other FTP software is the ability to do FXP transfers, or > >> server-to-server > >> ftp. > >> http://www.inicom.net/pages/en.ffxp-home.php > >> > >> First thing I'd do is lock down the box. Disable anonymous ftp obviously. > >> If > >> you can, it's probably a good idea to disable FTP entirely and use SFTP > >> instead and only open it to passworded user accounts you know you need. > >> When > >> logging into FTP, your credentials are sent as plain text that anyone can > >> sniff if they try. SFTP is basically FTP that is run over a secure shell > >> connection, encrypting the information much like how SSL works for web > >> pages. Set up right and with a good software client it's exactly like > >> using > >> FTP, just secure. > >> > >> Since I don't know enough about what other risks this might have opened > >> you > >> up to, like IRC bots working on strange ports, I would be inclined to do > >> a > >> wipe and reinstall. It's a sledgehammer instead of a scalpel but I know > >> that > >> my security auditing skills aren't that good so I end up having to resort > >> to > >> drastic measures to make up for my lack of knowledge. Hopefully someone > >> more > >> skilled in such things (Jochem?) might be able to chime in. > >> > >> Good luck. > >> > >> -Kevin > >> > >> > >> On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: > >> > > >> > id rather not mention the name, until i find out what the fuck > >> > is up. > >> > > >> > the ip of the box who up'd the files is > >> > > >> > 85.234.195.20 <http://85.234.195.20> > >> > > >> > i started to notice, some odd directories, but i thought it was > >> > a sysadmin doing something... (69.250.12.29 <http://69.250.12.29> is > >> > me) > >> > > >> > 05:58:35 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 > >> > 05:58:36 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 > >> > 05:58:38 69.250.12.29 <http://69.250.12.29> [213]CWD .tag4 250 0 > >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 > >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 > >> > 550 > >> > 2 > >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD /.tag4/.++++lpt5 > >> > 550 > >> > 2 > >> > > >> > and then this cocksucker... > >> > [EMAIL PROTECTED] get the bright idea to download > >> > the files... > >> > > >> > 08:23:34 85.234.195.20 <http://85.234.195.20> [211]closed - 421 121 > >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]USER anonymous 331 0 > >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]PASS > >> > [EMAIL PROTECTED] 230 0 > >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]CWD > >> > > >> > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL > >> > PROTECTED]/++[[Bender+scan+- > >> > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 > >> > > >> > and then i think he thought about loggin in with his normal info... > >> > and changed his > >> > identity.... (the guilt got to him.) > >> > > >> > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL > >> > PROTECTED]/++[[Bender+scan+- > >> > > >> > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]USER anonymous 331 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]PASS > >> > [EMAIL PROTECTED] 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]CWD > >> > > >> > not sure what he is doing here... but he does this to EVERY File. > >> > > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.001 350 > >> > 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO > >> > MOHDAEF.001+./+/250 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.002 350 > >> > 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO > >> > MOHDAEF.002+./+/250 0 > >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.003 350 > >> > 0 > >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO > >> > MOHDAEF.003+./+/250 0 > >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.004 350 > >> > 0 > >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO > >> > MOHDAEF.004+./+/250 0 > >> > > >> > then a couple more fucknuts show up... > >> > > >> > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]USER anonymous 331 > >> > 0 > >> > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]PASS > >> > [EMAIL PROTECTED] 0 > >> > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]USER anonymous 331 0 > >> > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]PASS > >> > [EMAIL PROTECTED] 230 0 > >> > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]USER anonymous 331 0 > >> > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]PASS > >> > [EMAIL PROTECTED] 230 0 > >> > > >> > one recurring one though... [EMAIL PROTECTED] > >> > > >> > so. what to do? send complaints? where do i start? > >> > > >> > thanks for any help. > >> > tony > >> > > >> > > >> > On 9/8/05, Cameron Childress <[EMAIL PROTECTED]> wrote: > >> > > On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: > >> > > > do you think someone dropped a game on my box to burn it? > >> > > > >> > > Where is this box hosted? Some of the guys at ACFUG once caught a > >> > > customer support person at Interland surfing porn on their shared > >> > > hosting machine. > >> > > > >> > > Anything is possible. > >> > > > >> > > -Cameron > >> > > > >> > > >> > -- > >> > ....tony > >> > > >> > Tony Weeg > >> > tonyweeg [at] gmail [dot] com > >> > > >> > > >> > >> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:173267 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
