Hosting Provided By

Thanks everyone! RE: MS IIS 5 server is hacked leaving undeletable folders and files

From: Don Phillipe <donphillipe(at)hotmail.com>
Date: Fri Jan 03 2003 - 15:00:34 EST

Thank you everyone! What an overwhelming response this team has provided me. I received over 40 answers to my query and I would like to thank everyone for your kindly provided time to resolve this. Below is and outline of the progression and a brief response to some of the answers I received. I do see now that I neglected to state that the volume was NTFS, so that may have been the reason I received so many answers regarding how to delete the file with DOS (which didn't work, received "access denied". The information about a security tab missing could have been misleading, but in reality it was from the hacker directories; and although I have limited experience, I am not sure how a hacker can create NTFS directories without one, but it happened for sure.

In brief:

most said to use DOS to delete (received "access denied")
many pointed to MS document on how to delete (did not have access to RM.EXE from resource kit and the RMDIR \\.\D:temp\UPLOAD /s also failed with "access denied")
tried to FTP back into myself to delete the directory (received "access denied")
one suggested to run Norton Utilities to fix (could not get Norton to install since it is a "server")
one pointed to in-depth MS Knowledge base and asked how long I looked (none of MS tips worked either) Note: I am not sure what I did wrong with my search argument during this and past times, but most "tips" I find from these pages are found from Google and the same search on MS search engine produces nothing. However, I do feel obligated to answer this question, I looked about 14 hours (enough for my wife to get really mad for missing some of Christmas with the in-laws ;-)) but the biggest problem was not knowing what kind of "illness" I had. (I know much more now, thanks to everyone here.)
since I was able to stop all applications using this virtual drive, I finally gave up, formatted and restored from last backup
still trying to figure out if I should go for a complete system re-install but plan to watch it and the logs for the next weeks (thank goodness for the noisy hard drive and flashing lights on my hub that alerted me to the "violation" in the first place

Again, thanks to you all and have a prosperous new year!!! Don

-----Original Message-----
From: Don Phillipe [mailto:donphillipe@hotmail.com] Sent: Tuesday, December 31, 2002 11:05 AM To: 'incidents@securityfocus.com'
Subject: MS IIS 5 server is hacked leaving undeletable folders and files

I have a small server I use for my home business and use it mainly for anyone who needs to send a large file that will not go through email. I have an anonymous UPLOAD FTP account that I open up to receive these. From time to time I forget and leave this open (I know this is stupid but I thought I could just erase anything that was put there because the small drive would fill up real soon). However, I see someone has hacked into my server and put a bunch of trash that I cannot delete because when I try to delete it, Windows 2K says "cannot find the specified file". I have spent 2 days researching this and cannot find any reference of how to correct this. I did find some reference to looking at the security tab for these files but the security tab is missing! I found some tools which are supposed to set owners for files and they don't work on these files. Here is the log from where the hacker attacked below. Any help would be appreciated. I don't want to have to rebuild my server if possible:

#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

Do you need help?

#Date: 2002-12-30 06:38:21

#Fields: time c-ip cs-method cs-uri-stem sc-status

06:38:21 80.11.214.63 [1]USER anonymous 331

06:38:21 80.11.214.63 [1]PASS anonymous@on.the.net 230

06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.043 550

06:54:31 80.11.214.63 [1]created rpc-acb.043 226

06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.044 550

07:10:38 80.11.214.63 [1]created rpc-acb.044 226

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 3 17:10:31 2003

Do you need more help?

This message: [ Message body ]
Next message: kyle(at)kylelai.com: "RE: Mysterious "Support" account created on Win2k server"
Previous message: H C: "RE: Mysterious "Support" account created on Win2k server"
Next in thread: Nick Jacobsen: "Re: Thanks everyone! RE: MS IIS 5 server is hacked leaving undeletable folders and files"
Reply: Nick Jacobsen: "Re: Thanks everyone! RE: MS IIS 5 server is hacked leaving undeletable folders and files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT