Re: Lost control of server
From: swift (theswifter@yahoo.com)
Date: 02/25/03
- Next message: Doug: "Enable/disable local area connection from unpriv'd account"
- Previous message: Siggers: "Re: Legacy client"
- In reply to: Karl Levinson [x y] mvp: "Re: Lost control of server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "swift" <theswifter@yahoo.com> Date: Tue, 25 Feb 2003 10:52:08 -0800
Thanks for the help. .. I am going to cut my loses and
reformat the server. .... .and by the way I am a school
district so I don't think I will get much luck reporting
it this to the police.
Thanks again,
swift
>-----Original Message-----
>Wow, that sucks. It's hard to say for sure from here,
but the presence of
>the 1mbtest file and *.avi files makes it sound that
someone was using your
>computer to store and share illegal pirated videos as an
FTP server. [This
>is a common type of hack.] It could very well be that
these people did
>these things to your computer just to make it harder for
you to take their
>FTP server offline. I'd compare that to someone smashing
your front
>windshield and slashing your tires just to take an $80
radio from your car.
>
>I would really consider formatting and reinstalling,
because 1) it's
>probably easier and quicker than figuring out how to find
and undo
>everything that's been done [especially via email like
this] and 2) because
>you never know whether you've missed a back door that
lets the hacker right
>back into the system and he or she does it all again.
You can probably back
>up your data files, if you have any, by moving the hard
drive as a slave to
>another windows 2000 / XP computer.
>
>I definitely feel like you can and should secure your
computer from this
>type of attack by following the instructions in those
URLs I gave, BEFORE
>you put the computer back on the internet again. An
unfirewalled computer
>on the internet can be hacked in 15 minutes or less,
while you're
>downloading security patches. The most important link
would be:
>
>http://securityadmin.info/faq.htm#harden
>
>Normally it's good to try to investigate to see how the
computer was hacked
>to be sure to prevent it from happening again and try to
determine what data
>or passwords or other computers may also be at risk, but
that may not be
>possible considering the state of the computer.
Definitely try to inspect
>and view the IIS logs and any firewall logs if you can.
>
>If this is a business computer, contacting the
authorities might be
>worthwhile. You could consider setting up a sniffer or a
firewall [WITHOUT
>blocking anything, or maybe just blocking the outgoing
FTP data connections
>to try to entice the hacker into returning] to try to
tell who is managing
>your FTP server and get the source IP address. If you
just want your system
>to work again, though, these things would delay that.
>
>Chances are slim that you'd get any legal action against
these people
>[unless there's proven monetary loss], but you never know.
>www.mynetwatchman.com and www.dshield.com is free
software that
>automatically reports hacking attempts to the hacker's
ISP. Tracking down
>IP addresses can also be done like so:
>
>http://securityadmin.info/faq.htm#trace
>
>
>"swift" <theswifter@yahoo.com> wrote in message
>news:0d9101c2dc45$94274190$3001280a@phx.gbl...
>> Thanks for the info. . I printed out securityadmin.info
>> and will read over it tonight.
>>
>> The hacker has changed all of my administrator
privlages.
>> I can't open need files and can't access my ftp site.
The
>> hacker totally made one on my drives accessable. . . I
>> believe they are using it for file sharing. . . I
unpluged
>> the computer from the intenet for the night. When I
right
>> click and select properties I get normal stuff, but do
not
>> only have access if I was a normal user. .. I can't
change
>> permissions or sharing and I can't go to disk manager.
>>
>> ONe file that appeared was "1mbtest.ptf" another was a
>> jscript file called "webuivvalidation.js" in a
>> aspnet_client folder. I also found some jackass avi
files
>> but was unable to open them.
>>
>> I know I have been hack, but I am unsure how to stop it
>> and get permission back so I can stop it. Will I need
to
>> reformate the computer? Once I fix the problem will I
>> need to change the ipaddress? I notice lots of activity
>> on ther server minute after minute . ..so I know there
is
>> a problem.
>>
>> Thanks,
>>
>> Swift
>> >-----Original Message-----
>> >That's a tall order, but try this:
>> >
>> >http://securityadmin.info/faq.htm#hacked [This should
>> help you find signs
>> >of hacking]
>> >http://securityadmin.info/faq.htm#iislogs2
>> >http://securityadmin.info/faq.htm#iislogs
>> >http://securityadmin.info/faq.htm#re-secure
>> >http://securityadmin.info/faq.htm#harden
>> >
>> >Maybe you could tell us more about the files you found,
>> e.g. file and folder
>> >name, location, what they contain, what you see when
you
>> right-click and
>> >select properties, etc.?
>> >
>> >"swift" <theswifter@yahoo.com> wrote in message
>> >news:05ea01c2dc26$e67dfe80$3301280a@phx.gbl...
>> >> I believe that someone has taken over my server. I
found
>> >> files on my website that I did not put there and now
I
>> can
>> >> log on as administrator but I have no right to change
>> >> things or even shut down. I can't access my ftp
file to
>> >> turn it off either. Can anyone help.
>> >>
>> >> swift
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Doug: "Enable/disable local area connection from unpriv'd account"
- Previous message: Siggers: "Re: Legacy client"
- In reply to: Karl Levinson [x y] mvp: "Re: Lost control of server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
