Re: my iis has been hacked :-(
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 07/11/03
- Next message: Herb Martin: "Re: password login window pops up"
- Previous message: Herb Martin: "Re: hackerZZzzzz"
- In reply to: Thomas L: "my iis has been hacked :-("
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jul 2003 15:23:36 -0400
Well, there are two steps here, and i'm not sure both steps were addressed
yet in the other replies.
One step is removing the folder. Info on how as well as other info you may
need explaining this situation is below:
http://securityadmin.info/faq.htm#ftpfolder
... though this step is optional, read on to see why.
The other step is determining how the hack was done and then blocking it, or
else you may immediately be hacked again. See above for info on this as
well.
Probably this was done in one of two ways. Possibly you left Microsoft IIS
FTP services enabled and the anonymous user [by default, the IUSR account]
was left with both read and write permissions to one or all of the folders.
IUSR should never have both read and write permissions to any folder, or
this will happen. This kind of exploit is not necessarily so bad, though it
means you probably also had other vulnerabilities that could have let
something more sinister happen at some other time.
The other way this could have happened was if a hacker used some sort of
exploit [possibly an IIS WWW web server service exploit, if you left web
services running on your computer] to remotely execute code and install a
hidden FTP server like Serv-U FTP. Remote code execution is more
disturbing, because the only way you can be sure you've removed all the back
doors that the hacker installed onto your computer is by formatting and
reinstalling windows and everything else. Doing this is optional... it's up
to you and how secure you want to be. It may be acceptable if you prefer to
just try your best to remove what you can find and cross your fingers. To
see whether someone has remotely installed software or an FTP server onto
your computer, see here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
If you do format and reinstall, be sure you know how to secure your computer
before you make it visible to the internet again, because otherwise you'll
be hacked again 15 minutes after you put the computer back on the internet.
Here's a good start:
http://securityadmin.info/faq.htm#harden
PS I'm guessing you don't have a firewall. Here are some free and
inexpensive ones:
http://securityadmin.info/faq.htm#firewall
Hope this helps. If you find anything interesting, come back and let us
know.
"Thomas L" <this.is.not.my.em@il.address.com> wrote in message
news:3f0c0757$0$298$ba620e4c@reader0.news.skynet.be...
> Hi,
>
> under the inetpub\wwwroot there suddenly appeared a directory with a blank
> or a space as name. In that directory there are several subdirectories
with
> different names. In one of the subdirectories i found 2 subdirectories,
both
> apparently with software that enable the user to have virtual s** with a
> certain Jenna Jameson. Both directories contain about 500 Mb of files. I
was
> able to delete one of those two directories, but not the other. When i try
> to delete the entire directory with the blank or space as name, i get an
> error that it could not access the disk.
>
> I presume that one way or another some sort of exploit got onto my system
> and is acting as a sort of FTP or file server? My question is if one of
you
> recognise these symptoms and can tell me what exploit my server caught,
and,
> if possible, what i can do against it?
>
> Regards,
>
> Thomas
>
>
- Next message: Herb Martin: "Re: password login window pops up"
- Previous message: Herb Martin: "Re: hackerZZzzzz"
- In reply to: Thomas L: "my iis has been hacked :-("
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
