Re: Hacked through iis 4

Jose Carlos da Silva ( (no email) )
Mon, 18 May 1998 21:40:36 -0300

Ethan, In 15 May 98, you wrote:

> I was just recently broken in to where someone got ftp access and set up a
> directory structure for warez. All of my ftp sites had been stopped and
> the only thing I had running was the web server. I have just put in place
> some firewall rules for ftp, but I really don't know the cause of the
> break in. Are there any known holes in iis 4, or any solutions on how to
> keep someone from creating those directories?

Microsoft FTP server uses NT SAM to authenticate users and it uses NT
ACL (Access Control Lists) to decide which kind of access the users
will have to any folder by impersonating the account used to logon to
the FTP Server.

Unfortunatelly, the group "EveryOne" has "Full Control" rights for
most disk folders and the group "EveryOne" includes even the account
used for MSFTP for anonymous access. In this configuration, any user
account in your domain can be able to login to your FTP server and to
create folders and write files to it. An experient user can even
remove files you placed in your FTP server.

We cannot assume it's a bug in MS FTP server, but it should be better
documented and some warnings about this should be included in the
setup screens, so network administrators would know about it.

I solved this problem by changing the NT ACL for the IUSR_SERVER
account, so it can only read and it can only do it in the folder it
shoud read. I've removed Everyone Group from the folders where it
should'nt have access and nobody can break the security without an
administrator's password at least.


o--------------( ALLNET! Provedor Internet )----------------o
| Modem: (011) 3061-3600 Voz: (011) 3061-0088 |
| |