Anonymous FTP ... very, very bad. Not all all related to FP Upload
component. Looks like the server admin could get in very serious trouble.
Especially if the server has now been compromised. I know of situations
where servers had to be completely rebuilt because the outsiders had
control. Plus, flooded it with worms and trojans.
I don't envy the guy, but it looks like you have your bases covered.
Good luck.
--
===
Tom [Pepper] Willett
Microsoft MVP - FrontPage
---
FrontPage Support:
http://www.frontpagemvps.com/
About FrontPage 2003:
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
===
| Thank you for your time. I understand it is hard for you to make a clear
| judgement.
|
| However, during the time I have been posting here, I have also been
emailing
| back and forth with the server administrator. Even though he has been
| throwing blame at me and our company, I did not engage him in that aspect
but
| rather just tried to deal with the issues at hand. In the long run, if
you
| give someone enough rope, they will hang themselves.
|
| I don't want to post our conversation, but he has, in an inadvertant
manner
| admitted that Anonymous FTP had been activated on our server. Not just
for a
| folder or domain, but on the whole server. I still have not confronted
him
| about it. It isn't worth my energy so I will let my boss deal with it
since
| all of our communications were CC'd to him.
|
| Thanks for your patience.
|
| "Tom [Pepper] Willett" wrote:
|
| > It's very difficult to say what the server admin has done on that end.
It
| > would be pure conjecture on our part.
| >
| > --
| > ===
| > Tom [Pepper] Willett
| > Microsoft MVP - FrontPage
| > ---
| > FrontPage Support:
| >
http://www.frontpagemvps.com/
| > About FrontPage 2003:
| >
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
| > ===
| > | > | My Apologies for not being clearer. However, I have that reference
link
| > and
| > | even sent the link to our administrator with my request.
| > |
| > | He did not catch the part about disabling script execution and until
he
| > | figured out that this had to be done, he could not get it working
| > properly.
| > | Finally he figured it out and that was about 3 weeks ago.
| > |
| > | Since then, I have not worked on the site or changed anything in it.
Now
| > | our server has been hacked and he says that it was a result of my
request.
| > |
| > | However, the strange part is that the supposed executable that was
| > uploaded,
| > | was uploaded to a different domain on the server. That is the part I
am
| > | questioning. How is it that someone could use this, as yet, unused
folder
| > to
| > | hack in through a different domain on the server?
| > |
| > | Something seems fishy to me. More like maybe someone set the wrong
| > | permissions in an attempt to get the function I requested working.
| > |
| > | I know this is tedious, and I think I am probably being fed a line. I
was
| > | just hoping to find out more in one direction or another.
| > |
| > | Thanks again.
| > |
| > | "Tom [Pepper] Willett" wrote:
| > |
| > | > Beaux: No where in your original post did you say you wanted to use
the
| > FP
| > | > File Upload form. Using the file upload feature of the FP 2002
server
| > | > extensions (no earlier versions will work) require set up as
outlined in
| > | > this kb article.
| > | >
| > | >
| >
http://support.microsoft.com/default.aspx?scid=kb;en-us;299763&Product=fp2002
| > | > --
| > | > ===
| > | > Tom [Pepper] Willett
| > | > Microsoft MVP - FrontPage
| > | > ---
| > | > FrontPage Support:
| > | >
http://www.frontpagemvps.com/
| > | > About FrontPage 2003:
| > | >
http://office.microsoft.com/home/office.aspx?assetid=FX01085802
| > | > ===
| > | >
| > | > | > | > | The Frontpage File Upload requires that script execution be
disabled
| > to
| > | > use
| > | > | the upload function. In fact, our administrator had a problem
setting
| > the
| > | > | permissions properly until he learned this fact.
| > | > |
| > | > | Even so, I don't understand how setting the permissions on 1
folder in
| > a
| > | > | domain can allow the upload and execution of a file in a seperate
| > domain.
| > | > I
| > | > | assumed since this revolves around the frontpage upload bot, this
was
| > the
| > | > | place to ask the question.
| > | > |
| > | > |
| > | > | "Steve Easton" wrote:
| > | > |
| > | > | > Was the subfolder in A password protected?? It should have
been.
| > | > | > Were permissions set to deny execution of scripts and
executables.
| > They
| > | > | > should have been.
| > | > | >
| > | > | > You'd get better answers in one of the server news groups.
| > | > | >
| > | > | > --
| > | > | > Steve Easton
| > | > | > Microsoft MVP FrontPage
| > | > | > 95isalive
| > | > | > This site is best viewed............
| > | > | > ........................with a computer
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | > | > | > | > > My company has multiple domains hosted on one server.
Recently
| > our
| > | > server
| > | > | > > administrator upgraded us to Windows server 2000 with IIS 5.0.
I
| > | > asked
| > | > | > > them
| > | > | > > to give write permissions to a subfolder in one of my domains
so
| > that
| > | > I
| > | > | > > could
| > | > | > > later create an area for selected people to upload data.
| > | > | > >
| > | > | > > After much trouble he finally told me it was done.
| > | > | > >
| > | > | > > I never used this feature, nor did I link to the folder in any
| > way.
| > | > | > >
| > | > | > > Now our server has been hacked and he is telling me that
someone
| > | > uploaded
| > | > | > > a
| > | > | > > file to domain "B" and executed it, because of the write
| > permissions
| > | > on
| > | > | > > the
| > | > | > > subfolder in domain "A"
| > | > | > >
| > | > | > > I am almost certain I am getting hosed here because he keeps
| > | > mentioning
| > | > | > > "billable time" if it is a result of something I did or
requested.
| > | > | > >
| > | > | > > Does this expanaition even come into the the realm of
possible?
| > Or is
| > | > it
| > | > | > > simply someone trying to cover his own mistakes?
| > | > | > >
| > | > | > > Thanks in advance.
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | > >
| > | > | >
| > | > | >
| > | > | >
| > | >
| > | >
| > | >
| >
| >
| >
