Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Ben Jones (Ben.JonesMORGANSTANLEY.COM)
Date: Tue May 01 2001 - 06:23:41 CDT
"CL: Nelson, Jeff" wrote:
> Good afternoon,
> I would appreciate it if somebody could shed some light on some things I've
> come upon with regard to our web server.
> In the ftproot directory I came upon a folder with no name. There were other
> folders inside this one, one folder per folder, nested 13 levels deep and
> then 3 files. The folder these files were in was
> 04.19.01.X-COM_Enforcer-Razor1911. I've not heard of this before.
Just to add to what others have said, you were probably victim to
fxp-ers. They scan subnets for port 21, then for anon ftp sites with
write access. Your site is just a winnt site, used as a "pub" for
people to access the servers. Much more prized are the high-bandwidth
unix dump sites. Using something like flashfxp, pirate software can be
directly ftp'd from the dump site to the pub from a remote client
(probably hiding behind an anon proxy). The filenames are to keep them
a little more obscure from most ftp clients, and windows. This is just
to try and keep them safer from sysadmins such as yourself, and the
"deleters" that follow the warez-kiddie playground game. I think it is
extremely unlikely that your server has been compromised in any way.
Just either disabling the anon account, or getting rid of write access
will do. We just dropped a text file in the directory saying "we know
what you were doing, but we have neither the disk space nor the
bandwidth for you, sorry", disabled write access and the just carried on
scanning for someone else instead.
-- All views are my own and have nowt to do with my employer