Security Basics mailing list archives
Re: MS IIS 5 server is hacked leaving undeletable folders and files
From: khayes () eastbay com
Date: Tue, 31 Dec 2002 16:26:43 -0600
If it makes you feel better you're definately not alone in this. It happens to hundreds of people every day. It had happened to a server I inherited when I started this job and they couldn't figure it out either. The only reason I know about the fix is because I was an idiot and created a COM1 dir on the root of my home machine and had to figure it out. <<LOL>> You're running into the same problem a lot of people have that run an FTP on top of IIS. When the Warez Kiddies make directories they use reserved names for directories (COM1, COM2, LPT1, AUX... ) These directories are considered "locked" because the OS sees these directories as Devices and not standard directories. In order to get passed this, you need to know the entire path. The problem, as you and everyone else is seeing, is that deleting these directories is a pain. You have two choices to get rid of these. First, attach to the machine via some *nix-based machine and delete them. You're saved here because the remote *nix box doesn't care about DOS reserved names. The other way to do it is detailed in the following TID from Microsoft. Evidently there was enough of an uproar by everyone that the folks in Redmond actually listened for once. The URL is : http://support.microsoft.com/default.aspx?scid=kb;en-us;120716 As a side note, I am curious if they even tried to download the files they uploaded. The standard for them is to upload a file called Speedtest (normally just 1mb in size) and then download it to not only check the speed of your server but also to make sure they can actually download at all. The user the put the files on there is probably not using a proxy. You could contact the owner of the IP range and compain. If it's a home user the ISP should crack the whip on their keister. Warez/Script Kiddies test everyone's patience. Hope this helps. Ken Hayes Network Administrator Eastbay / Footlocker.com Wausau, WI Offices (715) 261-9573 khayes () eastbay com To: <security-basics () securityfocus com> cc: "Don Phillipe" Subject: MS IIS 5 server is hacked leaving undeletable folders and files <donphillipe () hotmail com > 12/31/2002 10:54 AM I have a small server I use for my home business and use it mainly for anyone who needs to send a large file that will not go through email. I have an anonymous UPLOAD FTP account that I open up to receive these. From time to time I forget and leave this open (I know this is stupid but I thought I could just erase anything that was put there because the small drive would fill up real soon). However, I see someone has hacked into my server and put a bunch of trash that I cannot delete because when I try to delete it, Windows 2K says "cannot find the specified file". I have spent 2 days researching this and cannot find any reference of how to correct this. I did find some reference to looking at the security tab for these files but the security tab is missing! I found some tools which are supposed to set owners for files and they don't work on these files. Here is the log from where the hacker attacked below. Any help would be appreciated. I don't want to have to rebuild my server if possible: #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2002-12-30 06:38:21 #Fields: time c-ip cs-method cs-uri-stem sc-status 06:38:21 80.11.214.63 [1]USER anonymous 331 06:38:21 80.11.214.63 [1]PASS anonymous () on the net 230 06:38:24 80.11.214.63 [1]sent /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20% +by+Lorg% d%D+/divx/rpc-acb.043 550 06:54:31 80.11.214.63 [1]created rpc-acb.043 226 06:54:32 80.11.214.63 [1]sent /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20% +by+Lorg% d%D+/divx/rpc-acb.044 550 07:10:38 80.11.214.63 [1]created rpc-acb.044 226 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. Although the Company attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.
Current thread:
- RE: MS IIS 5 server is hacked leaving undeletable folders and files Optrics Engineering - Shaun Sturby, MCSE (Jan 02)
- <Possible follow-ups>
- Re: MS IIS 5 server is hacked leaving undeletable folders and files khayes (Jan 02)
- Re: MS IIS 5 server is hacked leaving undeletable folders and files Mike Arnold (Jan 02)
- Re: MS IIS 5 server is hacked leaving undeletable folders and files Stelian Popescu-Crainic (Jan 02)
- RE: MS IIS 5 server is hacked leaving undeletable folders and files Jimmy Sansi (Jan 02)