Fog Creek Software
Discussion Board




Unknown file...

Yo!

I just found a file named "500k" with no extension and a 0 filesize in the root folder of my FTP site. (w2k/IIS)

Only one dude besides myself have access and he havent been in logged in for a week. The file appeared today, it wasnt there this morning.

Tiny personal firewall is running but allows IIS through on ports 21 and 80.

Am I being hacked or is there a natural explanaition?

Eric Debois
Friday, August 29, 2003

Anonymous access is disabled?

Philo

Philo
Friday, August 29, 2003

Nope anonymus access is allowed.

No viruses on system... anyone good at reading portscans? Does this look ok?

Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-08-29 21:50 CEST
Host ***.***.***.*** appears to be up ... good.
Initiating Connect() Scan against ***.***.***.*** at 21:50
Adding open port 21/tcp
Adding open port 80/tcp
The Connect() Scan took 29 seconds to scan 1643 ports.
Interesting ports on ***.***.***.***
(The 1633 ports scanned but not shown below are in state: closed)
Port State Service
20/tcp filtered ftp-data
21/tcp open ftp
23/tcp filtered telnet
80/tcp open http
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds


Looks like an awful lot of ports are responding despite the firewall????

Eric Debois
Friday, August 29, 2003

No wait, anonymous access is turned off.. only two specific accounts have access to the folder in question (No IUSR, no "everyone")

Eric Debois
Friday, August 29, 2003

telnet and netbios? If you don't use windows filesharing it shouldn't be needed. As for telnet, unless you actually *use* telnet then this shouldn't be on either.

Mickey Petersen
Friday, August 29, 2003

Oh, yeah, btw:

Check your \system32\logfiles\ folder(s) for the log files and see if you can find anything suspicious.

Mickey Petersen
Friday, August 29, 2003

Check the owner on the file (presuming you're using NTFS).

Dennis Forbes
Friday, August 29, 2003

"anyone good at reading portscans?"

A simple question: you did run this portscan from OUTSIDE the firewall, right?

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, August 29, 2003

If he runs it on "localhost" the local software firewall should catch that.

Mickey Petersen
Friday, August 29, 2003

What is the full path name of that folder? It may be one of those folders programs naturally throw things in.

Did you use a text editor or hex editor to look at the nature of the file? Can you explain it? Did you run it through a virus scanner?

Li-fan Chen
Friday, August 29, 2003

"If he runs it on "localhost" the local software firewall should catch that."

Mine wouldn't. 127.0.0.0 is a trusted network, as is my home and work LAN, so that NetBIOS is let through. It depends on the firewall and its configuration, really.

Brad Wilson (dotnetguy.techieswithcats.com)
Saturday, August 30, 2003

No, I ran it from the outside of both router and firewall. The file had nothing in it. Zero bits. Just a filename. The logs show nothing out of the ordinary.

The path is something like d:/myfolder/myfolder/ftp_root, not the standard ftp root folder.

If this was something IIS did there should be more info about it on the web.

Very strange.

Eric Debois
Saturday, August 30, 2003

Are you sure this isn't some kind of system generated file. I don't run IIS, but 500K appears to be some natural size for resources to be dedicated to one user.

I suggest deleting the file, logging, logging out, checking for the file, then having both users log in, log out, and check for a file.  I suspect that when you are both logged in at the same time the system generates the file.

Lou
Saturday, August 30, 2003

You are probably right. I discovred the the file is not visible when looking at the folder from the server itself, only when seen through the network. None of the logs show anything besides me and my buddy logging in.

Besides, what possible use could a hacker have of such a file? It might be some kind of leftover from a failed network transfer or something.

Oh well.

Thanks for the input guys.

Eric Debois
Saturday, August 30, 2003

*  Recent Topics

*  Fog Creek Home