FTP

[Craig]

How can I shut down ftp from being accessed ? I have a
win2k server with sbs on it, and I want to shut down the
ftp access so it wont get hacked again ?
Thanks
Craig

 

[Scott Harding - MS MVP]

Remove the FTP service from Add/Remoce Programs|Windows Components. Or
disable the service in services. Or do not allow anonymous access and use
strong passwords for your users or do not allow write access to the ftp
site.

 

[Lanwench [MVP - Exchange]]

You can stop the FTP service itself. However, if you're talking about
securing your server/network from the Internet, you need to get a good
firewall and place it between your network & Internet router.

 

[Craig]

Ok FTP is NOT installed under add/remove programs, is there
somewhere else it would be. Let me explian a little better.
I have a customer that has windows 2000 sbs, under inetpub
there is a folder called scripts, under that was a folder
called ftp, in there someone hacked it and put several
warez files in there. Now it will not let me delete these
files so I moved them from the inetpub\scripts\ftp folder
to a folder called remove. I still could not delete that
folder, I tried to rename it, deltree, del .., everything I
could think of and it is still there. That is the reason I
was askign about the ftp Now I only have 2 ports open on
the router port 3389 and 5900 nothing else is open. What
can be done?
Thanks
Craig

 

[Chris]

Hi Craig,

If the Windows FTP server is not running, it is possible
the customer is running a 3rd party FTP server.

Normally, blocking port 21 from incoming traffic would
disable all FTP access to the computer, but it is also
possible that a 3rd party FTP server package could be
configured to listen on a different port. You can try to
FTP to their computer through one of the ports that is
still open to see if this is the case.

As for the files you can't delete, I've had this problem
before, too. It happens because the filenames contain
characters that are filtered by Windows Explorer (most
commonly, a space at the end of this filename). The
easiest way to delete these is to use a dedicated FTP
client (CuteFTP, WSFTP, etc.), log into the machine, and
delete them with the FTP client. Barring that, you'd
have to write a small program that uses an OS API
function directly to delete the files. Another
possibility might be to try moving them to a floppy drive
with explorer, then formatting the floppy. I'm not sure
if that would work, but it might since Explorer lets you
move the files between directories.

Hope this helps,

- Chris

 

[Jeff Cochran]

Ok FTP is NOT installed under add/remove programs, is there
somewhere else it would be.

Add/Remove programs, Windows Component?

Let me explian a little better.
I have a customer that has windows 2000 sbs, under inetpub
there is a folder called scripts, under that was a folder
called ftp, in there someone hacked it and put several
warez files in there. Now it will not let me delete these
files so I moved them from the inetpub\scripts\ftp folder
to a folder called remove. I still could not delete that
folder, I tried to rename it, deltree, del .., everything I
could think of and it is still there. That is the reason I
was askign about the ftp Now I only have 2 ports open on
the router port 3389 and 5900 nothing else is open. What
can be done?

Uninstall FTP if you don't use it. Stop the service if you have a
valid reason for not uninstalling it. If it isn't running, then it
isn't an issue and you got hacked elsewhere (there's no magic to a
folder named FTP). It's wuite possible you've been compromised and a
version of FTPServU is running on your system, possibly using a
non-standard port.

First, get rid of the files:

How to Remove Files with Reserved Names in Windows:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;120716
You Cannot Delete a File or a Folder
http://support.microsoft.com/?id=320081

Now analyze your system and secure it:

http://securityadmin.info/
http://www.microsoft.com/security/

Best bet is wipe the system, reinstall and restore known good data
from backup. Secure it before you put it back on the internet.

Jeff

 

[Craig]

I don't see any 3rd party ftp programs onthere and the
customer has no clue what even ftp means.. I tried to get
to the ports that are open but I cannot get through to the
server, so unless they got into the router somehow and
changed something in there.. I don't know ?? Any help
would be great.. BTW they (whoever put these files on
here) are using 22 GIG or HD space for thier stuff..
Mostly movies.. I will be hanging another drive on the
server and copying it across to there and then formatting
the hard drive... That is the only way I can see how to
get rid of it..
Again any help would be great on how someone got in.

Craig

 

[TDM]

A common security compromise is to use an unsecure machine
for file storage/transfer. I too guess that you have been compromised
based on what you have stated.

You mention you are going to nuke the server anyway so this may
be a moot point, but try going to a command shell. Drill down
to the folder that contains the files in question, then view the old
dos 8.3 shortname with "dir /x". Then delete the file using
the shortname. This has worked for me on occasion when the
file names have funky chars.

TDM