yeah...I checked it out...things seem to be ok... had me worried for a second. I just switched to CFDynamics because HMS wouldn't match the price....
----- Original Message ----- From: "Tony" <[EMAIL PROTECTED]> To: "CF-Community" <cf-community@houseoffusion.com> Sent: Thursday, September 08, 2005 9:03 AM Subject: Re: help!! > it takes 5 minutes to fix it up... and email support... they are > quick/good about getting to stuff for me so far. (not to mention i > sent them a LARGE basket of goodies!!) > > tw > > > > On 9/8/05, Matthew Blatchley <[EMAIL PROTECTED]> wrote: >> So your new dedicated came from CFdynamics? That sucks...so now I have >> to >> make sure too...damn it. >> >> ----- Original Message ----- >> From: "Tony" <[EMAIL PROTECTED]> >> To: "CF-Community" <cf-community@houseoffusion.com> >> Sent: Thursday, September 08, 2005 8:26 AM >> Subject: Re: help!! >> >> >> > thanks kev. as you can imagine, i had a fun night, looking over the >> > whole box, it appears this was all through that ftp client, the files >> > have been whacked, the box has been cleaned, and re-doing it is just >> > not an option, but i think im good right now, and i have the guys at >> > the host doing a big once over today too... >> > >> > thanks >> > tony >> > >> > On 9/8/05, Kevin Graeme <[EMAIL PROTECTED]> wrote: >> >> This is a really old attack. As you're finding out, they scan for ftp >> >> servers that allow anonymous connections then use them as a >> >> distributed >> >> file >> >> sharing system for warez. In your case, for the medal of honor game. >> >> When >> >> they find some open storage space, they write a long string of >> >> directory >> >> structures and put segmented files onto your server. Then the location >> >> is >> >> distributed through the group's communication channels, often an IRC >> >> warez >> >> bot, and the group's members can then retrieve the files off your >> >> system. >> >> >> >> FlashFXP is a popular FTP software tool. In and of itself it's not an >> >> indicator of an attack or compromise. It's actually a really nice >> >> tool. >> >> It's >> >> commercial though and we're licensed here for a different one, but I'd >> >> use >> >> it if I had the option. One of the big features that it had before >> >> most >> >> other FTP software is the ability to do FXP transfers, or >> >> server-to-server >> >> ftp. >> >> http://www.inicom.net/pages/en.ffxp-home.php >> >> >> >> First thing I'd do is lock down the box. Disable anonymous ftp >> >> obviously. >> >> If >> >> you can, it's probably a good idea to disable FTP entirely and use >> >> SFTP >> >> instead and only open it to passworded user accounts you know you >> >> need. >> >> When >> >> logging into FTP, your credentials are sent as plain text that anyone >> >> can >> >> sniff if they try. SFTP is basically FTP that is run over a secure >> >> shell >> >> connection, encrypting the information much like how SSL works for web >> >> pages. Set up right and with a good software client it's exactly like >> >> using >> >> FTP, just secure. >> >> >> >> Since I don't know enough about what other risks this might have >> >> opened >> >> you >> >> up to, like IRC bots working on strange ports, I would be inclined to >> >> do >> >> a >> >> wipe and reinstall. It's a sledgehammer instead of a scalpel but I >> >> know >> >> that >> >> my security auditing skills aren't that good so I end up having to >> >> resort >> >> to >> >> drastic measures to make up for my lack of knowledge. Hopefully >> >> someone >> >> more >> >> skilled in such things (Jochem?) might be able to chime in. >> >> >> >> Good luck. >> >> >> >> -Kevin >> >> >> >> >> >> On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: >> >> > >> >> > id rather not mention the name, until i find out what the fuck >> >> > is up. >> >> > >> >> > the ip of the box who up'd the files is >> >> > >> >> > 85.234.195.20 <http://85.234.195.20> >> >> > >> >> > i started to notice, some odd directories, but i thought it was >> >> > a sysadmin doing something... (69.250.12.29 <http://69.250.12.29> is >> >> > me) >> >> > >> >> > 05:58:35 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 >> >> > 05:58:36 69.250.12.29 <http://69.250.12.29> [213]CWD .. 250 0 >> >> > 05:58:38 69.250.12.29 <http://69.250.12.29> [213]CWD .tag4 250 0 >> >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD .++++lpt5 550 2 >> >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD >> >> > /.tag4/.++++lpt5 >> >> > 550 >> >> > 2 >> >> > 05:58:40 69.250.12.29 <http://69.250.12.29> [213]CWD >> >> > /.tag4/.++++lpt5 >> >> > 550 >> >> > 2 >> >> > >> >> > and then this cocksucker... >> >> > [EMAIL PROTECTED] get the bright idea to download >> >> > the files... >> >> > >> >> > 08:23:34 85.234.195.20 <http://85.234.195.20> [211]closed - 421 121 >> >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]USER anonymous >> >> > 331 0 >> >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]PASS >> >> > [EMAIL PROTECTED] 230 0 >> >> > 10:06:25 85.234.195.20 <http://85.234.195.20> [214]CWD >> >> > >> >> > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL >> >> > PROTECTED]/++[[Bender+scan+- >> >> > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 >> >> > >> >> > and then i think he thought about loggin in with his normal info... >> >> > and changed his >> >> > identity.... (the guilt got to him.) >> >> > >> >> > /.tag4/+++.++++lpt5/++.ÿ+++lpt4/++.++com0/[EMAIL >> >> > PROTECTED]/++[[Bender+scan+- >> >> > >> >> > -+K.I.T.T+tagg]]/++.K.I.T.T/Medal+of+Honnor-En+Formation 250 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]USER anonymous >> >> > 331 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]PASS >> >> > [EMAIL PROTECTED] 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]CWD >> >> > >> >> > not sure what he is doing here... but he does this to EVERY File. >> >> > >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.001 >> >> > 350 >> >> > 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO >> >> > MOHDAEF.001+./+/250 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.002 >> >> > 350 >> >> > 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNTO >> >> > MOHDAEF.002+./+/250 0 >> >> > 10:06:59 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.003 >> >> > 350 >> >> > 0 >> >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO >> >> > MOHDAEF.003+./+/250 0 >> >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNFR MOHDAEF.004 >> >> > 350 >> >> > 0 >> >> > 10:07:01 85.234.195.20 <http://85.234.195.20> [216]RNTO >> >> > MOHDAEF.004+./+/250 0 >> >> > >> >> > then a couple more fucknuts show up... >> >> > >> >> > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]USER anonymous >> >> > 331 >> >> > 0 >> >> > 20:16:36 213.213.212.18 <http://213.213.212.18> [224]PASS >> >> > [EMAIL PROTECTED] 0 >> >> > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]USER anonymous >> >> > 331 0 >> >> > 22:08:25 80.138.33.123 <http://80.138.33.123> [225]PASS >> >> > [EMAIL PROTECTED] 230 0 >> >> > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]USER anonymous >> >> > 331 0 >> >> > 22:08:41 80.138.33.123 <http://80.138.33.123> [226]PASS >> >> > [EMAIL PROTECTED] 230 0 >> >> > >> >> > one recurring one though... [EMAIL PROTECTED] >> >> > >> >> > so. what to do? send complaints? where do i start? >> >> > >> >> > thanks for any help. >> >> > tony >> >> > >> >> > >> >> > On 9/8/05, Cameron Childress <[EMAIL PROTECTED]> wrote: >> >> > > On 9/7/05, Tony <[EMAIL PROTECTED]> wrote: >> >> > > > do you think someone dropped a game on my box to burn it? >> >> > > >> >> > > Where is this box hosted? Some of the guys at ACFUG once caught a >> >> > > customer support person at Interland surfing porn on their shared >> >> > > hosting machine. >> >> > > >> >> > > Anything is possible. >> >> > > >> >> > > -Cameron >> >> > > >> >> > >> >> > -- >> >> > ....tony >> >> > >> >> > Tony Weeg >> >> > tonyweeg [at] gmail [dot] com >> >> > >> >> > >> >> >> >> >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:173272 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
