Re: Hacked... Yeah I know "You told me so"

From: Egbert Nierop \(MVP for IIS\) (egbert_nierop@nospam.com)
Date: 05/29/02 

From: "Egbert Nierop \(MVP for IIS\)" <egbert_nierop@nospam.com>
Date: Wed, 29 May 2002 10:50:06 +0200

Too much about this ...

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q120716
if he 'only' created directories with names like 'tagged' and COM and LPT1
and PRN etc you are not compromised, he just used you as a 'host'.
b.t.w. they're really sick those guys... 

--
ASP Session replacement for webfarms
http://www.nieropwebconsult.nl/asp_session_manager.htm
"x y" <jamescagney90210@yahoo.com> wrote in message
news:#BTCVlrBCHA.1436@tkmsftngp04...
> "John" <wise_man@pobox.com> wrote in message
> news:8a1201c205d1$080e16c0$3aef2ecf@TKMSFTNGXA09...
> > Running XP Pro, had all the updates installed offered
> > by windows update which according to
> >
> > http://www.microsoft.com/security/security_bulletins/ms0201
> > 8_iis.asp
> >
> > which is "Windows XP Professional users can receive the
> > patch automatically via the AutoUpdate technology."
> >
> > Had the xp fire wall running, and NAT ports opened only
> > for my webserver BUT i had frontpage extentions installed.
> >
> > The hacker placed about 1Gb of porn onto my hard drive
> > via the extentions.  I killed the files and new ones
> > go placed.
> >
> > I've removed the extentions and run MS's security tool
> > specifying a static web server.
> >
> > Have a question and a problem.
> > 1) question: what else should i do to prevent this in the
> > future.
>
> You may still be missing some patches.  Go to www.microsoft.com/security
and
> read the security checklists there, including running hfnetchk to check
for
> missing patches.  If you're running FTP, check that you have the proper
> permissions, e.g no anonymous access, or at least no anonymous read and
> write access to any one folder.  if running IIS web services, check out
> iislockdown including URLscan.  Antivirus and both software and hardware
> firewalls are good as well.  Check your web logs for entries containgin %
or
> .EXE that mention a 200 or 502 error code.  Run fport from foundstone.com
to
> look for suspicious open ports and pstools / pslist from sysinternals.com
to
> look for suspicious running processes.  Once your computer is compromised,
> back doors can be installed that allow re-entry even after the original
> vulnerability is closed.  The only way to be 100% sure that you're clean
is
> to format and reinstall and secure the system before you put it on the
> internet again.  My guess is that we still haven't closed the original
> vulnerability.  If you ran IISlockdown and allowed it to install URLscan,
> that should help a lot.
>
> > 2) problem: the hacker created directory entries that
> >    seem to go nowhere. If i try to delete them I recieve
> >    the error "cannot find the specified file. Make sure
> >    you specify the correct path and file name"  How can I
> >    delete these entries?
>
> Search this newsgroup for "FTP."  This question is asked and answered
> weekly, and there are several good ways to do this.
>
>
>
Quantcast