Hosting Provided By

RE: MS IIS 5 server is hacked leaving undeletable folders and files

From: Optrics Engineering - Shaun Sturby, MCSE <Shaun(at)Optrics.com>
Date: Tue Dec 31 2002 - 17:01:07 EST

Hello Don,

Typical hacker trick. They have used reserved words like com3 and lpt2 to create directories that the command interpreter and file manager won't touch because it thinks they are really hardware devices and you can't really delete hardware with a command. If you don't have the 'security tab' then check to see if your drive is formatted fat32. You will only see the 'security' tab if the drive is formatted NTFS or supports security.

Here are a couple of links to get you started.

How to Remove Files with Reserved Names in Windows XP http://support.microsoft.com/default.aspx?scid=KB;en-us;315226&

How to Remove Files with Reserved Names in Windows http://support.microsoft.com/default.aspx?scid=kb;EN-US;120716

Do be careful and try your command lines out with a 'dir' command first to see that what is going to be deleted is what you really want deleted.

Shaun

-----Original Message-----
From: Don Phillipe [mailto:donphillipe@hotmail.com] Sent: Tuesday, December 31, 2002 9:55 AM To: security-basics@securityfocus.com
Subject: MS IIS 5 server is hacked leaving undeletable folders and files

Do you need help?

I have a small server I use for my home business and use it mainly for anyone who needs to send a large file that will not go through email. I have an anonymous UPLOAD FTP account that I open up to receive these. From time to time I forget and leave this open (I know this is stupid but I thought I could just erase anything that was put there because the small drive would fill up real soon). However, I see someone has hacked into my server and put a bunch of trash that I cannot delete because when I try to delete it, Windows 2K says "cannot find the specified file". I have spent 2 days researching this and cannot find any reference of how to correct this. I did find some reference to looking at the security tab for these files but the security tab is missing! I found some tools which are supposed to set owners for files and they don't work on these files. Here is the log from where the hacker attacked below. Any help would be appreciated. I don't want to have to rebuild my server if possible:

#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

#Date: 2002-12-30 06:38:21

#Fields: time c-ip cs-method cs-uri-stem sc-status

06:38:21 80.11.214.63 [1]USER anonymous 331

06:38:21 80.11.214.63 [1]PASS anonymous@on.the.net 230

06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.043 550

Do you need more help?

06:54:31 80.11.214.63 [1]created rpc-acb.043 226

06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.044 550

07:10:38 80.11.214.63 [1]created rpc-acb.044 226

___

IMail Server has scanned this e-mail for viruses using Declude Virus from Optrics.com

IMail Server has scanned this e-mail for viruses using Declude Virus from Optrics.com Received on Thu Jan 2 10:16:08 2003

This message: [ Message body ]
Next message: khayes(at)eastbay.com: "Re: MS IIS 5 server is hacked leaving undeletable folders and files"
Previous message: James-lists: "Re: Where can i find a complete list of ip's and countries ou network ?"
In reply to Don Phillipe: "MS IIS 5 server is hacked leaving undeletable folders and files"
Next in thread: Mike Arnold: "Re: MS IIS 5 server is hacked leaving undeletable folders and files"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:33 EDT