OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mimi Carpenter (mcarpenterSAGPH.ORG)
Date: Fri Mar 30 2001 - 16:28:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Geoff et al.,

    The server is Win2K (I didn't even know you could RUN IIS 5.0 on NT 4.0,
    sorry). The client for this test was UNIX -- I would have thought that
    that came from the client too, but given it was a Linux box that I was
    FTPing from...

    Thanks for the advo, will pass it on. 

    --
Mimi L. Carpenter, Network Security Engineer
Screen Actors Guild Producers Pension and Health Plans
mailto:mcarpentersagph.org
I speak only for myself.

    -----Original Message-----
From: Geoff Joy [mailto:geoffWINDOWMEISTER.COM]
Sent: Thursday, March 29, 2001 11:05 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Changing the banner on FTP service (IIS 5.0)?

    On Thu, 29 Mar 2001 16:45:59 -0800, Mimi Carpenter
<mcarpenterSAGPH.ORG> wrote:

    >Hiya,
>
>I did look for this in TechNet, but I didn't find it. Apologies if it's
>there and I missed it.
>
>We want to enable certain clients to ftp inbound to a server on our DMZ
>running IIS 5.0 (FTP service only). When we do this, the output looks
>like this:
>
>> ftp addressoffirewall
>Connected to addressoffirewall.
>220 servername Microsoft FTP Service (Version 5.0).
>Name (addressoffirewall:name): username
>331 Password required for username.
>Password:
>230-Welcome - Begin Transaction
>230 User username logged in.
>Remote system type is Windows_NT.
>ftp> ls
>200 PORT command successful.
>150 Opening ASCII mode data connection for /bin/ls.
>550 .: Access is denied.
>ftp> put filename
>local: filename remote: filename
>200 PORT command successful.
>150 Opening ASCII mode data connection for filename.
>226 Transfer complete.
>1850 bytes sent in 0.0192 secs (94 Kbytes/sec)
>ftp> quit
>221 End Transaction - Done
>
>The ftp proxy on the firewall is successfully handing me right to the
>inside server, as I wanted, but what I DON'T want is for these two
lines
>to appear:
>
>220 servername Microsoft FTP Service (Version 5.0).
>
>and
>
>Remote system type is Windows_NT.
>
>How do I change the "220" message, and how do I change the OS
>identification? I *assume* both are coming from the server.
>
>Thanks,

    Mimi,

    You don't say if you are using Windows NT 4.0 or Windows2000.
On my Windows 2000 system it does not display the "Remote system
type..."
line at the login.  I think this must come from the client.

    The "Microsoft FTP Service" is hard-coded into the ftpsvc2.dll located
in
%SystemRoot%/system32/inetsrv.  You might be able to hack the text with
a hex editor and replace the dll at boot.  My copy of the DLL is dated
7/7/2000
and comes from the Win2k SP1.  Looking at the dll, the banner text
begins
at byte offset 10791 (0x2a27).  There is a (%s) associated with this
that
probably refers to the "Version 5.0" text string at offset 7284 (0x1c74)
.

    Geoff Joy
    • application/x-pkcs7-signature attachment: smime.p7s