Re: MS IIS 5 server is hacked leaving undeletable folders and files

[khayes () eastbay com]

If it makes you feel better you're definately not alone in this.  It
happens to hundreds of people every day.  It had happened to a server I
inherited when I started this job and they couldn't figure it out either.
The only reason I know about the fix is because I was an idiot and created
a COM1 dir on the root of my home machine and had to figure it out.
<<LOL>>

You're running into the same problem a lot of people have that run an FTP
on top of IIS.  When the Warez Kiddies make directories they use reserved
names for directories (COM1, COM2, LPT1, AUX... )  These directories are
considered "locked" because the OS sees these directories as Devices and
not standard directories.  In order to get passed this, you need to know
the entire path.   The problem, as you and everyone else is seeing, is that
deleting these directories is a pain.

You have two choices to get rid of these.  First, attach to the machine via
some *nix-based machine and delete them.  You're saved here because the
remote *nix box doesn't care about DOS reserved names.  The other way to do
it is detailed in the following TID from Microsoft.  Evidently there was
enough of an uproar by everyone that the folks in Redmond actually listened
for once.  The URL is :

http://support.microsoft.com/default.aspx?scid=kb;en-us;120716

As a side note, I am curious if they even tried to download the files they
uploaded.  The standard for them is to upload a file called Speedtest
(normally just 1mb in size) and then download it to not only check the
speed of your server but also to make sure they can actually download at
all. The user the put the files on there is probably not using a proxy.
You could contact the owner of the IP range and compain.  If it's a home
user the ISP should crack the whip on their keister.

Warez/Script Kiddies test everyone's patience.

Hope this helps.

Ken Hayes
Network Administrator
Eastbay / Footlocker.com
Wausau, WI Offices
(715) 261-9573
khayes () eastbay com



                                                                                                                        
  
                                                                                                                        
  
                                                                                                                        
  
                                                                                                                        
  
                                       To:     <security-basics () securityfocus com>                                   
     
                                       cc:                                                                              
  
              "Don Phillipe"           Subject:  MS IIS 5 server is hacked leaving undeletable folders and files        
  
              <donphillipe () hotmail com                                                                               
     
              >                                                                                                         
  
                                                                                                                        
  
              12/31/2002 10:54 AM                                                                                       
  
                                                                                                                        
  
                                                                                                                        
  




I have a small server I use for my home business and use it mainly for
anyone who needs to send a large file that will not go through email.  I
have an anonymous UPLOAD FTP account that I open up to receive these.  From
time to time I forget and leave this open (I know this is stupid but I
thought I could just erase anything that was put there because the small
drive would fill up real soon).  However, I see someone has hacked into my
server and put a bunch of trash that I cannot delete because when I try to
delete it, Windows 2K says "cannot find the specified file".   I have spent
2 days researching this and cannot find any reference of how to correct
this.   I did find some reference to looking at the security tab for these
files but the security tab is missing!  I found some tools which are
supposed to set owners for files and they don't work on these files.   Here
is the log from where the hacker attacked below.  Any help would be
appreciated.  I don't want to have to rebuild my server if possible:



#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

#Date: 2002-12-30 06:38:21

#Fields: time c-ip cs-method cs-uri-stem sc-status

06:38:21 80.11.214.63 [1]USER anonymous 331

06:38:21 80.11.214.63 [1]PASS anonymous () on the net 230

06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%
+by+Lorg%
d%D+/divx/rpc-acb.043 550

06:54:31 80.11.214.63 [1]created rpc-acb.043 226

06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%
+by+Lorg%
d%D+/divx/rpc-acb.044 550

07:10:38 80.11.214.63 [1]created rpc-acb.044 226



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -
The information in this e-mail, and any attachment therein, is confidential
and for use by the addressee only.  If you are not the intended recipient,
please return the e-mail to the sender and delete it from your computer.
Although the Company attempts to sweep e-mail and attachments for viruses,
it does not guarantee that either are virus-free and accepts no liability
for any damage sustained as a result of viruses.