w2k iis 5.0/6.0 ftp 0day and ftp log parsing

This morning a 0day for Microsoft Windows 2000 IIS 5.0/6.0 FTP server was announced on Full-disclosure (and milw0rm). From the sounds of it, this may require a valid set of credentials and thus be more of a priv escalation than a remote r00t, but close enough to be a bit worried. (Do you trust your FTP outsid…err…users?)

I have a friend who has an old Windows 2000 FTP server he can’t take down and it open to the Internet (with valid login information). One way to initially minimize the risk on this vulnerability is to limit those who can connect through your border/perimeter/firewall to the FTP service to only those people who have a legitimate need. If you don’t have such information available, perhaps the log files will give an accurate history of valid users? If nothing else, this is better than nothing to go on, especially until more information on this vulnerability comes out.

Thankfully my friend does have a lengthy store of FTP logs, and this quick script I banged out will pull out unique IP addresses, quick and dirty-like. I basically search for lines in the logs that contain “PASS – 230” which is the code for an accepted password.

$alllogs = Get-ChildItem “C:\somepath\ftplogs”
$whitelist = @()

foreach ($logfile in $alllogs){
$logcontents = get-content “C:\somepath\ftplogs\$logfile”

foreach ($logline in $logcontents){
if ($logline.Contains(“PASS – 230”))
{$whitelist += $logline.Split(” “)[1]}
}
}
$whitelist | Sort-Object | Get-Unique