Recovering From Anonymous Ftp Abuse
Posted on 29 Jan 2002
by Ben Dyer (OKolzig37)
Rated 4.03 (Ratings: 9)
- More articles in Backend
Anonymous FTP is never a good idea anymore because it leaves you open to abuse from people who like nothing more than free sharing for their movies, MP3s or pr0n. The best step you can take to avoid abuse, of course, is to never let it happen. However, perhaps you inherited a project on a poorly-configured server, or there is a neglected server that you aren't yet using, or you just didn't know to turn off Anonymous FTP in the first place (IIS leaves it on by default). This article will show you how to solve the problem.
Note: This tutorial assumes that the victim machine is running IIS.
Stop the Bleeding
The first step, of course, is to turn off Anonymous FTP immediately. In Internet Services Manager in IIS, right-click on your affected FTP server, click the "Security Accounts" tab and uncheck "Allow Anonymous Connections". After this is accomplished, restart the FTP services to kick any current connections.
Wash Area With Soap and Water
Those who abuse Anonymous FTP on WinNT/2K boxes have learned lots of irritating little tricks to prevent you from being able to remove the contents they upload. Sometimes they will use characters that are perfectly legitimate to the NTFS file system and/or on Unix-based systems, but that Windows will choke on (Carriage Returns, Tabs, Backspaces, Slashes, Semicolons, Colons, etc.). This way, when Windows goes to delete the file, it insists that it can't because it doesn't understand the file name. Sometimes even trying to open the directory in Windows Explorer will hang the machine.
Another trick that is used is to create directories that are reserved words in the Windows file system: AUX, COM, CON, LPT1, LPT2, NUL or PRN, for example. Again, Windows will not permit you to delete these directories because it figures that they are system files and it knows how damaging that would be.
You can't remove these files directly through Windows. You will need to go through the command prompt to delete files. From the command prompt, go to the affected directories. Now, and here is the trick, use the
dir command with the
/x switch (
dir /x). The
/x switch is rarely used, but it produces the 8.3 DOS name for every file and directory name longer than eight characters (like "My Documents" shows up as "MYDOCU~1").
Now that you know the name of the directory that DOS understands, you can delete the directory. I've had so-so success with doing a recursive directory delete (
rd /S WHATEVER) as sometimes DOS will trip over the subdirectories. If you cannot recursively delete the entire directory, you will have to manually traverse the entire directory tree and delete the contents manually (which can be very time-consuming, depending on how much junk the abusers put on your server).
If you need more help, here are a few links you can use that provide more information about the problem and some additional suggestions.