[Dshield] Re: Dshield digest, Vol 1 #319 - 2 msgs

support@maedata.net support at maedata.net
Sun Nov 4 18:47:43 GMT 2001


the com1 directory is a vulnerabaility I believe MS fixed sometime ago. You
get the error because com1 is a reserved word and the OS should not have
allowed its creation.

Sysops who have left thier ftp open to anonymous uploads may find that
hacker (script kiddies?) may have created this directory and may have
uploaded larges files until the disk fills up.

Some time ago I had a brand new server put online before I had a chance to
secure it. In less than 24hrs someone was eating up all my bandwidth with
multiple ftp uploads and created files as you described above.



----- Original Message -----
From: <dshield-request at dshield.org>
To: <dshield at dshield.org>
Sent: Sunday, November 04, 2001 12:01 PM
Subject: Dshield digest, Vol 1 #319 - 2 msgs


> Send Dshield mailing list submissions to
> dshield at dshield.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www1.dshield.org/mailman/listinfo/dshield
> or, via email, send a message with subject or body 'help' to
> dshield-request at dshield.org
>
> You can reach the person managing the list at
> dshield-admin at dshield.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dshield digest..."
>
>
> Today's Topics:
>
>    1. RE: I've been hacked (Peter Street)
>    2. RE: I've been hacked (DAS)
>
> --__--__--
>
> Message: 1
> From: "Peter Street" <peter.street at lazerfx.co.uk>
> To: <dshield at dshield.org>
> Subject: RE: [Dshield] I've been hacked
> Date: Sat, 3 Nov 2001 21:08:59 -0000
> Reply-To: dshield at dshield.org
>
> In a situation like this you can never be sure that your computer is
> 100% secure again, so I would likely download all the patches and
> updates, burn them to a CD, reformat and re-install Win2K / XP and do an
> offline update of the system, ensuring all the updates and patches go
> on.
>
> Of course, I'm paranoid, but then:
>
> Just Because You Are Paranoid, Doesn't Mean They Aren't Out To Get You!
>
> Peter Street
> Web Developer / Manager
> LazerFX Productions
> www.lazerfx.co.uk (Under Construction)
>
>
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
> Behalf Of RShady
> Sent: 03 November 2001 19:14
> To: dshield at dshield.org
> Subject: Re: [Dshield] I've been hacked
>
> << Snipped appearance of Apparent Code Red >>
>
>
> --__--__--
>
> Message: 2
> From: "DAS" <dastoltz at epix.net>
> To: <dshield at dshield.org>
> Subject: RE: [Dshield] I've been hacked
> Date: Sat, 3 Nov 2001 20:07:58 -0500
> Reply-To: dshield at dshield.org
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0021_01C164A3.3F1A4E60
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> This is what finally worked:
>
> rmdir \\.\c:\inetpub\ftproot /s
>
> Thanks for all the help!
>
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
> Behalf Of Tom Sevy
> Sent: Saturday, November 03, 2001 4:05 PM
> To: 'dshield at dshield.org'
> Subject: RE: [Dshield] I've been hacked
>
>
> Try this:
>
> ren co?1 cox1
>
>
>
> -----Original Message-----
> From: DAS [mailto:dastoltz at epix.net]
> Sent: Saturday, November 03, 2001 9:51 AM
> To: dshield at dshield.org
> Subject: [Dshield] I've been hacked
>
>
>
> This question has been dicussed and answered here already, but I'm still
> having a problem.
>
> I was also hacked, and the following directory was placed on my server:
>
> c:\inetpub\ftproot\0200~\~~tagged and scanned~~\by\com1
>
> I did a DIR /X and the com1 directory name does NOT change.
>
> So I tried the following:
>
> rmdir /s com1
>
> But no matter how I try to delete the com1 directory, I get this error:
>
> "The Directory name is invalid"
>
> I don't know what else to try.
>
> Any Advice?
>
> Thanks-
>
>
> ------=_NextPart_000_0021_01C164A3.3F1A4E60
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <TITLE>Message</TITLE>
>
> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD>
> <BODY>
> <DIV><SPAN class=3D806110701-04112001><FONT face=3DArial color=3D#0000ff =
> size=3D2>This=20
> is what finally worked:</FONT></SPAN></DIV>
> <DIV><SPAN class=3D806110701-04112001><FONT face=3DArial color=3D#0000ff =
>
> size=3D2></FONT></SPAN>&nbsp;</DIV>
> <DIV><SPAN class=3D806110701-04112001><FONT face=3D"Courier New">rmdir=20
> \\.\c:\inetpub\ftproot /s</FONT></SPAN></DIV>
> <DIV><SPAN class=3D806110701-04112001><FONT=20
> face=3D"Courier New"></FONT></SPAN>&nbsp;</DIV>
> <DIV><SPAN class=3D806110701-04112001><FONT face=3D"Courier New">Thanks =
> for all the=20
> help!</FONT></SPAN></DIV>
> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
>   <DIV></DIV>
>   <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
> align=3Dleft><FONT=20
>   face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
>   dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] <B>On =
> Behalf Of=20
>   </B>Tom Sevy<BR><B>Sent:</B> Saturday, November 03, 2001 4:05 =
> PM<BR><B>To:</B>=20
>   'dshield at dshield.org'<BR><B>Subject:</B> RE: [Dshield] I've been=20
>   hacked<BR><BR></FONT></DIV>
>   <DIV><SPAN class=3D338230421-03112001><FONT face=3DArial =
> color=3D#0000ff size=3D2>Try=20
>   this:</FONT></SPAN></DIV>
>   <DIV><SPAN class=3D338230421-03112001><FONT face=3DArial =
> color=3D#0000ff=20
>   size=3D2></FONT></SPAN>&nbsp;</DIV>
>   <DIV><SPAN class=3D338230421-03112001><FONT face=3DArial =
> color=3D#0000ff size=3D2>ren=20
>   co?1 cox1</FONT></SPAN></DIV>
>   <DIV><SPAN class=3D338230421-03112001><FONT face=3DArial =
> color=3D#0000ff=20
>   size=3D2></FONT></SPAN>&nbsp;</DIV>
>   <DIV><SPAN class=3D338230421-03112001></SPAN>&nbsp;</DIV>
>   <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
>     <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
> face=3DTahoma=20
>     size=3D2>-----Original Message-----<BR><B>From:</B> DAS=20
>     [mailto:dastoltz at epix.net]<BR><B>Sent:</B> Saturday, November 03, =
> 2001 9:51=20
>     AM<BR><B>To:</B> dshield at dshield.org<BR><B>Subject:</B> [Dshield] =
> I've been=20
>     hacked<BR><BR></FONT></DIV>
>     <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial =
> size=3D2>This question=20
>     has been dicussed and answered here already, but I'm still having a=20
>     problem.</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial size=3D2>I =
> was also=20
>     hacked, and the following directory was placed on my=20
>     server:</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2>c:\inetpub\ftproot\0200~\~~tagged and=20
>     scanned~~\by\com1</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial size=3D2>I =
> did a DIR /X=20
>     and the com1 directory name does NOT change.</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial size=3D2>So =
> I&nbsp;tried=20
>     the following:</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial =
> size=3D2>rmdir /s=20
>     com1</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial =
> size=3D2>But no matter=20
>     how I try to delete the com1 directory, I get this=20
> error:</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial =
> size=3D2>"The Directory=20
>     name is invalid"</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial size=3D2>I =
> don't know=20
>     what else to try.</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial =
> size=3D2>Any=20
>     Advice?</FONT></SPAN></DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     size=3D2></FONT></SPAN>&nbsp;</DIV>
>     <DIV><SPAN class=3D295334214-03112001><FONT face=3DArial=20
>     =
> size=3D2>Thanks-</FONT></SPAN></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HT=
> ML>
>
> ------=_NextPart_000_0021_01C164A3.3F1A4E60--
>
>
>
> --__--__--
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> http://www1.dshield.org/mailman/listinfo/dshield
>
>
> End of Dshield Digest
>





More information about the list mailing list