Re: Cleaning hacked IIS server
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 12/21/03
- Next message: Jason M. Murray: "RE: Access requires password"
- Previous message: Kristen: "How do you delete Autocomplete History?"
- In reply to: Joseph: "Cleaning hacked IIS server"
- Next in thread: Jeff Cochran: "Re: Cleaning hacked IIS server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Dec 2003 19:12:52 -0500
I doubt that will work.
See here:
http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden
Briefly, the attacker probably installed an FTP server like Serv-U FTP on
your computer and used up your internet connection bandwidth and hard drive
space. People think they don't need to secure their home computer and test
systems that don't have any important data, but you still do. Using the 8.3
file name such as by DIR /X is usually part of the solution, in order to
bypass certain reserved words in the file name such as COM1 that Windows
Explorer won't let you manipulate. [Disabling posix support would have
prevented this trick from being used to make the files hard to delete.] See
the links above for more details.
BTW, you not only need to delete the files, you better determine how you
were hacked and what other changes or software was installed on your
computer, or else you'll be hacked again. You were probably hacked by
something very simple to fix, like missing patches, no firewall, and/or you
left IIS FTP service running with the IUSR anonymous user having both read
and write permission to one folder. www.kerio.com and www.sygate.com are
free firewalls.
If you didn't leave the IIS FTP service running, then your computer was
completely compromised / remotely controlled, as new software was installed
on it.
"Joseph" <anonymous@discussions.microsoft.com> wrote in message
news:04ab01c3c6bb$35ef3900$a601280a@phx.gbl...
> Try this I hope it works. Reboot in safe mode by pressing
> the F8 key during boot. You should be able to delete the
> files this way.
> Joseph
> >-----Original Message-----
> >I have an IIS server that has thousands of folders and
> >files that have been posted by a hacker. I have tried
> >taking ownership, forcing new permissions, cutting off
> >inheritance and am unable to move or delete the files.
> >I ran The Checker to scan for trojans and backdoors, but
> >it found nothing. I have several service packs to
> >install, but my C: drive is pretty full of junk the
> >hackers have posted.
> >Is there a tool or method to clean off files that have
> >been locked from deleting? NTFS and folder permissions
> >appear to give Administrators full control, but attempts
> >to move or delete give error: Access denied...
> >Thanks for your help,
> >Jon
> >.
> >
- Next message: Jason M. Murray: "RE: Access requires password"
- Previous message: Kristen: "How do you delete Autocomplete History?"
- In reply to: Joseph: "Cleaning hacked IIS server"
- Next in thread: Jeff Cochran: "Re: Cleaning hacked IIS server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
