MAJOR PROBLEM. Illegal Movies found deep on my server.

Toggle sidebar Toggle sidebar
W

Winchester

Diamond Member
Jan 21, 2003
4,965
0
0
It seems somehow someone figured out how to get into our FTP server, the service was turned on, but no one has access. We have been running out of space repeatedly over the past month or so down to <2mb on several occassions, since we moved to new servers and Windows Server 2003.

Anyway, tonight, I sat down and began to setup the FTP server and found several movies in rar files.

Here is the dir structures of where the movies where located.

"C:\Inetpub\ftproot\ x 1436\90528813\90702883\90850335\90868712\90870534\91694900\91734507\91734917\91738883\92240404\92240955\92250529\92251610\ ;scanned.bY.Simfrob. ;\Stuff\93604446\93646506\93660706\93662589\94005042\ ;here;\cd2\pun-cd2.part17.rar"

C:\Inetpub\ftproot\Badmail\ send\ ..... %$$% g0 0uT\ 555555555 hoffnungslos 5555555555



Does this mean anything to anyone? What do I need to do?

Port 21 was not even open on our router.
 
M

Mellman

Diamond Member
Jul 9, 2003
3,083
0
76
you got pl0wned....basically...someone portscanned, saw you had an ftp, said ok, logged into said ftp, and used your inet connection and your HD to setup a public ftp for people to leech off of.


what to do? If your not using the ftp service...why is it on? And are you sure it wasnt internal employee's who setup said ftp server? the random chars and such were all used to make it harder for you to find
 
W

Winchester

Diamond Member
Jan 21, 2003
4,965
0
0
But the FTP port on the firewall is not even open, just http, would that make a difference?

The first one might be a game, didnt notice it until now, the 2nd one is a movie, I googled it, I just didnt post the file name.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
netstat -an should tell you what ports are open. Maybe FTP is listening to another port.

You definitely got 0wned. Thanks for the bandwidth, enjoy the games, watch for the FBI, and have a great day!
 
nboy22

nboy22

Diamond Member
Jul 18, 2002
3,304
1
81
somebody definately rooted your computer, if it is a fast connection, it's most likely IRC hackers that hacked into your computer and are storing all the files there for an ftp.. although they may have added an XDCC bot with iroffer, most things you can check for are files running in your task manager that you have never seen before, do some research on google.. also, if there is an extra say... svchost.exe running under your admin account you should be concerned because that is probably one of the access programs they are using for the XDCC bot or FTP. you need to get to the root of these files and delete them all, then you need to disable file sharing protocols, make sure the guest account is disabled, make sure all account have strong passwords, make sure that all accounts actually have passwords.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: BingBongWongFooey
rooted? they just got into the ftpd.
Click to expand...

Maybe. Maybe not. Hard to tell without some investigation. ;)

But I support this totally. I've found some great stuff on some of these FTP servers. :eek:
 
oldman420

oldman420

Platinum Member
May 22, 2004
2,179
0
0
Originally posted by: n0cmonkey
Originally posted by: BingBongWongFooey
rooted? they just got into the ftpd.
Click to expand...

Maybe. Maybe not. Hard to tell without some investigation. ;)

But I support this totally. I've found some great stuff on some of these FTP servers. :eek:
Click to expand...

so then it would be ok for me to park in your garage and use your kitchen while you wern't looking?
i mean if you dont know and i get something free it makes it ok?
NOT
 
M

Mellman

Diamond Member
Jul 9, 2003
3,083
0
76
eah....more then likely nothing was harmed, other then you getting paid for fixing it, which you would've been paid anyways. If your internet connection isn't per MB uploaded or downloaded, you suffered no data loss, it was just a minor hack job, borrowing your HD/inet. Sure its wrong and illegal, but its not the end of the world.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: oldman420
Originally posted by: n0cmonkey
Originally posted by: BingBongWongFooey
rooted? they just got into the ftpd.
Click to expand...

Maybe. Maybe not. Hard to tell without some investigation. ;)

But I support this totally. I've found some great stuff on some of these FTP servers. :eek:
Click to expand...

so then it would be ok for me to park in your garage and use your kitchen while you wern't looking?
i mean if you dont know and i get something free it makes it ok?
NOT
Click to expand...

If you can get your car in the garage you deserve the parking spot.
 
D

drag

Elite Member
Jul 4, 2002
8,708
0
0
Originally posted by: n0cmonkey
Originally posted by: oldman420
Originally posted by: n0cmonkey
Originally posted by: BingBongWongFooey
rooted? they just got into the ftpd.
Click to expand...

Maybe. Maybe not. Hard to tell without some investigation. ;)

But I support this totally. I've found some great stuff on some of these FTP servers. :eek:
Click to expand...

so then it would be ok for me to park in your garage and use your kitchen while you wern't looking?
i mean if you dont know and i get something free it makes it ok?
NOT
Click to expand...

If you can get your car in the garage you deserve the parking spot.
Click to expand...

Some people just don't get sarcasm very well do they?
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: drag
Originally posted by: n0cmonkey
Originally posted by: oldman420
Originally posted by: n0cmonkey
Originally posted by: BingBongWongFooey
rooted? they just got into the ftpd.
Click to expand...

Maybe. Maybe not. Hard to tell without some investigation. ;)

But I support this totally. I've found some great stuff on some of these FTP servers. :eek:
Click to expand...

so then it would be ok for me to park in your garage and use your kitchen while you wern't looking?
i mean if you dont know and i get something free it makes it ok?
NOT
Click to expand...

If you can get your car in the garage you deserve the parking spot.
Click to expand...

Some people just don't get sarcasm very well do they?
Click to expand...

It's tough to tell sarcasm sometimes. After all, my sarcasm bit gets flipped on occassion. :confused:
 
D

drag

Elite Member
Jul 4, 2002
8,708
0
0
look thru these places

You may find some links to your ftp servers if your lucky. Of course I wouldn't go there with a Windows box running IE. ;)

Time to do a pretty thurough audit of your stuff. Figure out what IP addresses they are comming from, my guess is from Holland or Korea.

Block them. Figure out how they got in.

I know that if was a IRC bandit and I had access to a fat pipe, then I would be sure leave a couple servers or boxes "unmolested" on the inside, that is very molested with my favorite hidden backdoors and rootkits. That way when my warez crap gets found out I can just come back in a couple months and take it over again after the admins got complacent again.

That is, if I was reasonably sure nobody else would try to crack your servers like I did. It's much easier to gain control back over a potential warez server if I was already behind the firewalls.

Sucks, looks like you have a lot of work to do. A ounce of prevention beats a pound of cure in this situation, and all that. The way I figure it is that unless you figure out how it happenned in the first place, how can you stop it from happening again?

Sucks. :(
 
W

Winchester

Diamond Member
Jan 21, 2003
4,965
0
0
Thanks drag,

What software should I use to monitor the useage over the weekend? Any freeware?

What other preventive software do yall reccommend?
 
C

ConfusedAmused

Junior Member
Jul 2, 2004
16
0
0
Leave the file names all intact, just start replacing random archive files with viruses rather than that part of the movie.
 
nboy22

nboy22

Diamond Member
Jul 18, 2002
3,304
1
81
there should be no svchosts running under your default administrator account, or else most likely it is a fake disguised program. btw, yes, the computer might not be rooted, but it seems as though if nobody was able to access the ftp it would be quite hard to get in for anyone else I would suspect, therefore I would think most likely it was just the NT-server password vunerability. Which is weak passwords on any accounts/account or no passwords..
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
You could use something like snort to watch over the network for the weekend. But it's probably not worth it.
 
J

JavaMomma

Senior member
Oct 19, 2000
701
0
71
I had pretty much the same thing happen to me a couple years ago.

It was great. I caught them when they were still uploading.

I just let them upload &amp; upload &amp; upload...then copied all the good pr0n to my other hard drive then reformated and put up a firewall.
 
bob4432

bob4432

Lifer
Sep 6, 2003
11,726
45
91
Originally posted by: nboy22
there should be no svchosts running under your default administrator account, or else most likely it is a fake disguised program. btw, yes, the computer might not be rooted, but it seems as though if nobody was able to access the ftp it would be quite hard to get in for anyone else I would suspect, therefore I would think most likely it was just the NT-server password vunerability. Which is weak passwords on any accounts/account or no passwords..
Click to expand...

sh!t, task manager shows 5 svchost.exe running. they are under the user name of system, local service and network service. is this bad?
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom