Agreed. Use Vision [or Fport] from
www.foundstone.com/knowledge or
Active
Ports from
www.webattack.com/get/activeports.shtml or pslist / pstools
from
www.sysinternals.com to look at the open ports on your computer and the
program or executable using that port. Some firewall software such as
www.sygate.com will also tell you this information.
If that doesn't help, then try these things:
http://www.securityadmin.info/faq.asp?hacked
Note that hackers can and do install FTP software such as Serv-U FTP
which
can grab TCP ports 21 and/or 20 before IIS can. Sometimes Windows
Rootkits
are used to hide the existence of the FTP server. You can google search
for
pubstro or ftp-tagging for more info on this phenomenon. You will
sometimes
notice an unexplained drop in amount of free disk space on your hard
drive.
Maybe you've already been given this information, but here is information
on
troubleshooting the IIS account password, if that is the problem:
http://www.securityadmin.info/faq.asp?iwam
kind regards,
Karl Levinson, CISSP, CCSA, MCSE, MS MVP
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
:
No problem. I sounds to me that you need to get to the bottom
of the "the address was already in use." message.
Sorry for not being clearer. First I tried just resetting the
password.
That didn't work, so I deleted the account and put it back in the
system.
When that didni't work I tried resetting NTFS by following the
procedure
outlined in that article I mentioned earlier. That didn't help
either.
The only reason I am suspecious of IIS is that we cn still log on the
server
to access our file services and other applications.
Another think I noticed on Friday. I deleted the Default FTP server
and
reinstalled it. I received an error message that "the address was
already
in
use." I am wondering if the previous tech installed an ftp server
I'm not
aware.
Thanks for the head up on the policy for logging. I'll check that
more
thoroughly on Monday.
And thanks in general. I am not a MS server person by a long shot.
My
suit
is IP networks and the like. I'm a niewbe in the MS world.
Mac
--
We are not Borg...
:
For one thing, keep in mind that what appears in the security
event log will depend on what has been configured to be logged
(see the local security policy in the audit section).
Since the password for ftp login travels the network in clear
text (unless within such as IPsec ESP communication) it can
be really only a matter of who is able to sniff the traffic. Then
you can change the password any you are at point where you
experience what you report.
So, are you saying that you have just now reset the password
to a known value with Windows and then altered the process
that tries to use this so it knows the new value, etc. and that
you still are getting this login failure?
Roger,
Thanks for your input. I thought the same thing as well as the
other
tech.
If you see my response to Steven, I provided more information
about
what I
did.
Mac
--
We are not Borg...
:
Why consider reinstall when it sounds like a matter of the
password having been changed, or not changed and expiring ?
Friends,
We are using IIS ftp to backup configuration files from remote
devices.
Up
until two week ago everything worked just fine. One of our
evening
call
center folks complained that the remote devices failed backup.
I was able to start an ftp connection from a client at another
location,
but
the password failed. I am getting ready to uninstall and
re-install
IIS,
but
thought I might check here first before major surgery.
