Re: MS IIS 5 server is hacked leaving undeletable folders and files

If it makes you feel better you're definately not alone in this. It happens to hundreds of people every day. It had happened to a server I inherited when I started this job and they couldn't figure it out either. The only reason I know about the fix is because I was an idiot and created a COM1 dir on the root of my home machine and had to figure it out. <<LOL>>

You're running into the same problem a lot of people have that run an FTP on top of IIS. When the Warez Kiddies make directories they use reserved names for directories (COM1, COM2, LPT1, AUX... ) These directories are considered "locked" because the OS sees these directories as Devices and not standard directories. In order to get passed this, you need to know the entire path. The problem, as you and everyone else is seeing, is that deleting these directories is a pain.

You have two choices to get rid of these. First, attach to the machine via some *nix-based machine and delete them. You're saved here because the remote *nix box doesn't care about DOS reserved names. The other way to do it is detailed in the following TID from Microsoft. Evidently there was enough of an uproar by everyone that the folks in Redmond actually listened for once. The URL is :

http://support.microsoft.com/default.aspx?scid=kb;en-us;120716

As a side note, I am curious if they even tried to download the files they uploaded. The standard for them is to upload a file called Speedtest (normally just 1mb in size) and then download it to not only check the speed of your server but also to make sure they can actually download at all. The user the put the files on there is probably not using a proxy. You could contact the owner of the IP range and compain. If it's a home user the ISP should crack the whip on their keister.

Warez/Script Kiddies test everyone's patience.

Hope this helps.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Ken Hayes
Network Administrator
Eastbay / Footlocker.com
Wausau, WI Offices
(715) 261-9573
khayes@eastbay.com

                                                                                                                          
                                                                                                                          
                                                                                                                          
                                                                                                                          
                                       To:                                             
                                       cc:                                                                                
              "Don Phillipe"           Subject:  MS IIS 5 server is hacked leaving undeletable folders and files          
                            >                                                                                                           

                                                                                                                          
              12/31/2002 10:54 AM                                                                                         
                                                                                                                          
                                                                                                                          

I have a small server I use for my home business and use it mainly for anyone who needs to send a large file that will not go through email. I have an anonymous UPLOAD FTP account that I open up to receive these. From time to time I forget and leave this open (I know this is stupid but I thought I could just erase anything that was put there because the small drive would fill up real soon). However, I see someone has hacked into my server and put a bunch of trash that I cannot delete because when I try to delete it, Windows 2K says "cannot find the specified file". I have spent 2 days researching this and cannot find any reference of how to correct this. I did find some reference to looking at the security tab for these files but the security tab is missing! I found some tools which are supposed to set owners for files and they don't work on these files. Here is the log from where the hacker attacked below. Any help would be appreciated. I don't want to have to rebuild my server if possible:

#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

#Date: 2002-12-30 06:38:21

#Fields: time c-ip cs-method cs-uri-stem sc-status

06:38:21 80.11.214.63 [1]USER anonymous 331

06:38:21 80.11.214.63 [1]PASS anonymous@on.the.net 230

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20% +by+Lorg%
d%D+/divx/rpc-acb.043 550

06:54:31 80.11.214.63 [1]created rpc-acb.043 226

06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20% +by+Lorg%
d%D+/divx/rpc-acb.044 550

07:10:38 80.11.214.63 [1]created rpc-acb.044 226

• - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
• - - - - - - - - - - - - - - The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although the Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.