From: Paul Lynch (paul_lynch67_at_hotmail.com)
Date: 11 Jul 2003 15:42:50 -0700
They're probably doing nothing more scary than uploading files to the
wide open ftp server you are running.
The best advice I can offer is to take the server offline asap, back
up any important files you need to keep and format and re-install from
Don't put the server back online until you have installed the latest
service pack and security patches. If you don't use the ftp service
disable it or at least disallow anonymous ftp to your server. If you
don't need the IIS services don't install them.
"mAx" <email@example.com> wrote in message news:<firstname.lastname@example.org>...
> that sounds scary....
> zombies sounds like the term! It is as if they don't exist
> on the drive whenever I try to delete/copy/cut etc
> many thanks for the info on 'packet sniffers' (heard of
> them but never had the need to try them out! here's my
> chance I guess!)
> will see what I can find
> thanks again!
> PS - it is the D:\ drive they are compromising - do you
> think best to do complete format/install to get rid of
> everything for sure?
> >-----Original Message-----
> >Any packet sniffer: windump, ethereal, etc. Although if
> you know the system
> >is compromised, you should take it off-line right away.
> Capturing the
> >traffic isn't going to do you any good--the systems that
> they're using to
> >transfer the files are likely compromised/zombies as well.
> >"max towns" <email@example.com> wrote in message
> >> Hello!
> >> trying to find some info on getting rid of unwanted
> >> folders created by hackers on my webserver.... they've
> >> been using it as a file transferring location (and are
> >> possibly watching me type this as I speak as I have just
> >> seen that have uploaded some terminal server setup stuff
> >> in the last five minutes! - hello if you're watching!)
> >> not that I'm paranoid or anything... but they're all
> >> me!!
> >> haha
> >> what people do for a bit of fun eh...
> >> anyway - will prob just format the drive and be done but
> >> would be nice to know for future reference...
> >> (anyone know how to check where exactly the data that is
> >> reported in the status as being sent and received for
> >> network/internet connection - is going to?)
> >> MAny many thanks for any help :)
> >> mAx