[quoted text, click to view]

This is fairly common - to search on this for other experiences, you might
use the colloquial term "tagging" as a keyword along with "FTP". It almost
always occurs on anonymous accounts that are given write access.

[quoted text, click to view]

There are tools available to the miscellaneous hackers out there that will
search random IP addresses for FTP servers that are open to abuse. They
tend to use the "anonymous" or "ftp" account.

[quoted text, click to view]

Very unlikely, unless there is a wireless portion involved in the logon. To
intercept traffic, you have to be able to read traffic at some point along
the way. Who can read your traffic? The ISP you use, and any companies
that route your traffic to and from your endpoints.

Have you checked the logs to ensure that these files are being created in
the way you think?

If the account whose password you changed is IUSR_<machine-name>, note that
changing the password has no effect on users' ability to log on, because
that account exists to allow anonymous logons to proceed.

[quoted text, click to view]

There are secure FTP servers available for even less than that - I'm sure
some of the others here can recommend their personal favourites, but it
would be inappropriate for me to do so.

However, I'm inclined to suggest that you take a good forensic look at your
system and find out exactly how this is happening. First, check that the
files are really being uploaded by the accounts that you guess are
responsible. Password-sniffing is not as wide-spread as some people would
suggest, because it's pretty infeasible, and requires collusion from one of
the companies you trust to carry your Internet traffic. If it was found out
that a company was doing that, they'd presumably lose all their business
very quickly.

It is possible that you have been hacked by some other method.

Alun.
~~~~

Do you have security set at the folder level for each user's folder?
Windows 200 will put them into their folder, but not restrict cd .. .
If not, it is most likely a legitimate user purposely storing things in the
wrong folder.

Look at the owner of the file. Who is it?

--
Steven BerkHolz
Send to Domain TESCOGroup dot com, username SB

Note: you may also want to know that you should never send mail to:
blacklist-my-ip@admins.ws
info@dautrap.uceprotect.net
listme@sorbs.net
spamtrap@sandes.dk
spamtrap@stop.mail-abuse.org
spamtrap@frankenbiker.de
spamtrap@blars.org
[quoted text, click to view]

Dear Friends:

I have allowed typical ftp access to users for a couple of years. Lately, I
have noticed that some of our accounts have been compromised and hackers
have begun to upload videos, applications, etc. onto the server. They
create directories that cannot be deleted by the users. I must go in and
delete those accounts from the command prompt.

It almost appears that someone is sniffing the ports on these websites
waiting for an ftp session. Since the username and password are not
encrypted, I am guessing that they read that information and then use the
account for their own purposes.

Just yesterday, I changed the password on this particular account (having
its own IP address) and by this morning, there was evidence of videos and
other junk being uploaded. I ended up disabling ftp on that account.

Is this happening to others? I've looked into encrypted ftp but I am unsure
on how to proceed or what reliable yet low cost products I can use. There
are ftp servers available for about $500 for a very limited number of users.

Please advise,

Fernando L. Arredondo using Windows 2000 Server / IIS 5

By the way, Daving Wang had recommended WebDAV over SSL or FTPS. I looked
into this but truthfully, I am somewhat confused on what to do. Can I use
software already included in W2000 Server or do I need to purchase
something. If so, I need something secure/inexpensive so that clients can
manage their websites.

Thanks again.

Thank you for answering my questions, I was really going mad this morning.

[quoted text, click to view]

When I first leased my webserver, I learned almost immediately not to allow
anonymous write access to ftp (or http for that matter).

[quoted text, click to view]

I've never examined the logs but I will enable them for future reading.

[quoted text, click to view]

I never use accounts like that other than the default for http reading. For
ftp, I create a Windows user account and grant that account ftp read/write
access.

[quoted text, click to view]

I was thinking about checking with the dedicated server company on upgrading
to a W2003 Server since it allows IP sharing for ftp (isolation mode). Will
W2003 allow, by default, for us to secure ftp accounts even if the IP is a
shared IP used by other websites and ftp sessions or is other 3rd party
software still necessary?

Thanks again for your assistance.

Thanks for the suggestion. The stuff is now all gone but I will look at
that the next time it happens.


[quoted text, click to view]

I'm starting to get cold feet and I think that I'm going to stick with
regular unencrypted FTP. I've enabled ftp logging and will examine them if
something happens again.

Best Regards,

Fernando L. Arredondo

[quoted text, click to view]

You can use WebDav to replace ftp. as it support SSL.
Personally, I haven't tested this :)

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



[quoted text, click to view]

You could also encrypt the entire communication, read
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



[quoted text, click to view]