Re: Am I hacked? IIS dying, 'telnet localhost 443' gives: Hallo, Willkommen auf Compactzone Stro!

From: Paul Lynch (paul.lynch_at_nospam.com)
Date: 06/30/04 

Date: Wed, 30 Jun 2004 17:14:17 +0100

On Wed, 30 Jun 2004 08:00:27 -0600, hal@nospam.com wrote:

>I posted yesterday about my IIS dying. Original post is below.
>General consensus and mosts docs on the 115 error say something is
>listening on my http/https ports, however, netstat does not show
>anything. I am checking into third party utilities to get more info,
>but I found something very disturbing: My favorite trick for seeing
>if SMTP servers are running is 'telnet <host> 25' to see if server
>responds. I did this for port 80 and 443, and even when web service
>is stopped, I get a response on 443 that says:
>
>Hallo, Willkommen auf Compactzone Stro!
> Ich hoffe, Sie haben viel SpaŻ!
> Loader
>
> Danke fnr ihren Besuch!
> Bist zum nSchsten Mal!
> Loader
>
>This cannot be good. How can I find what this is and get rid of it?
>
>Any help _greatly_ appreciated
>
>Hal

Hal,

You're right. This doesn't sound good. You need to find out which
process is binding to ports 80 and /or 443 on your server ASAP !

Any of these tools will do this for you :

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm

Availability and description of the Port Reporter tool
http://support.microsoft.com/?id=837243

In the meantime I would seriously consider disconnecting your server
from any network as a precaution.

I think you may need to spend some time reading this :

http://securityadmin.info/faq.asp#hackerstoc

http://securityadmin.info/faq.asp#re-secure

http://securityadmin.info/faq.asp#harden

Regards,

Paul Lynch
MCSE

Quantcast