Re: Hacked Server - Can't Delete Planted Files
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/20/02
- Next message: Ray at home: "Re: help me stop pop ups please!!"
- Previous message: D. Cross [MS]: "Re: EFS query"
- In reply to: MrMike: "Hacked Server - Can't Delete Planted Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Thu, 19 Dec 2002 19:22:57 -0500
I agree. Have you taken steps to determine how the computer was
compromised? One common way is if you have Microsoft FTP service running
and the anonymous user has both read and write permissions to any one
folder. This kind of hack is not so bad. If Microsoft IIS FTP service was
not running, then the hacker was able to remotely run code and install an
FTP server software on your server, which is bad. You may want to consider
formatting and reinstalling, because you'll never be 100% sure otherwise
that you've found and removed all back doors that would allow a hacker to
re-enter your computer and trash or steal your files to punish you, whether
or not you had already closed the original hole that let him in. Also, this
person could very well have gotten the passwords from your computers, credit
card numbers, etc.
To delete the folder and read more about how this happened:
http://securityadmin.info/faq.htm#ftpfolder
[PS I doubt booting to safe mode as suggested in the other post is going to
help]
See below for info on how to look for evidence of how the hacking happened,
and then secure your computer. Start with your IIS logs, looking for
anything that has .EXE or % and that also has a code 200 or 502 in it, and
also use Vision from www.foundstone.com/knowledge and the other tools
described below:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
"MrMike" <mrmike@seanet.com> wrote in message
news:07a701c2a771$7bc9a1f0$d5f82ecf@TK2MSFTNGXA12...
> Windows 2000 Server running on DSL line and (yes I know)
> no firewall. Twice now I've been hacked by someone who
> plants within my web site directory in inetpub, folders
> such as com1, com1, com1, com1, and then identifys himself
> (or herself?) with the names of successive folders below
> each other such as "scaned by XXX", "Planted by XXX".
>
> I suspect I'm being relayed through since my router goes
> nuts when I'm not doing anything.
>
> I can't delete these folders or files. The Message says
> that they don't exist or can't be found.
>
> How do I delete these folders and files?
>
> Thank you All!
>
> mrmike
- Next message: Ray at home: "Re: help me stop pop ups please!!"
- Previous message: D. Cross [MS]: "Re: EFS query"
- In reply to: MrMike: "Hacked Server - Can't Delete Planted Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
