They have: 1 posts

Joined: Feb 2005

hi, wonder if anyone can help me.

i host a website running on windows 2000 server with IIS 5. I FTP into the server to upload files.

However my server was hacked last night, i have looked into the ftp logs to see when the rogue files were uploaded, but so far the only information i have is that attempts were made to connect, followed by a command of

Quote: KEYWORD: SSH -- PARAMS: -2.0-libssh-0.1

which is a brute force attacking command, basically someone trying to guess the password. the timestamps on the files uploaded are inbetween the times the requests were made to the server, now my ftp server logs all activity, it tells me when ive uploaded a file or deleted a file. but i can't see any reference to these files being uploaded, neither can i see anybody successfully logging in at those times..

i just want to know if there any other ways that someone may upload files onto the server. i have tried to run telnet and connect using that but it says the host is not reachable so i dont think its going to be telnet.

please if anyone can help..

many thanks

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

Hard to tell with that little information. One of the first thing a cracker does is try to cover his tracks by editing or deleting logfiles.

He has: 51 posts

Joined: Jan 2004

Also, just because you couldn't break in using telnet (assuming you are running the service) doesn't mean it's secure.
IOW, ftp may or may not be the point of entry. It may be a completely different service, and one that may not even have been designed to upload files.

Check ALL the other possible logs you have around the time of the break in. You might get lucky and find a few clues.

He has: 9 posts

Joined: Apr 2005

Hey dude, hard luck, did any of your files get deleted? First thing that came to my mind was what Mairving said, he must have weasled out the info you want to see but forgot to delete that one line...

Another way to upload stuff (he still could have used ssh so contact your host for the unmoddable logs) is if he has your cpanel pass then he can use that file manager...all i can think of at the mo...good luck dude Smiling

CptAwesome's picture

He has: 370 posts

Joined: Dec 2004

The only other thing that comes to mind (Though this is long past the point) is Frontpage HTTP uploads.

She has: 2 posts

Joined: May 2005

Not sure if it's worth trying, but why not move your ftp away from port 21 as this is one hackers aim at. If you are the only one using the ftp it's workable.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.