[Dshield] IIS hacked - help????

Brent Wrisley bwrisley at UU.NET
Sun Nov 25 16:02:45 GMT 2001


Steve,

Sorry, I don't know much about that exploit, but (as I am sure others will say) your best bet to 'get control of IIS back' is to get that box offline, wipe it clean and reinstall from your most recent b/u.  Having said that, I would be interested in hearing others diagnose what has happened to your IIS box.


On 25/11/01 06:37 -0800, Steve Simek wrote:
:Major screwup on my part - any help out there?
:
:Purposely opened my FTP to anon for an hour to get a round a security
:problem I was having with IIS access, but was hacked fast
:
:Symptoms.
:1. "Tagged.com2" directory, files with reserved file names - RM.exe per
:microsoft KB is ineffective, since the com2 directory keeps coming up
:invalid. Can't clear it thru DOS or Windows UI.
:2. I get "error 5, access denied" when trying to stop IIS admin, ftp or WWW
:service. I also get access denied trying to access the msftpsvc1 dir on
:winnt\system32\logfiles.
:
:I've seen good answers to similar hacks here before, anyone know what
:they've changed on me on how I get control of IIS back?
:
:Steve
:
:
:_______________________________________________
:Dshield mailing list
:Dshield at dshield.org
:To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield



Brent Wrisley               
--------------------
2FB6 85AD 7084 80A0 8381  C116 CDE5 78B5 E959 C536
PGP Key ID: 0xE959C536  (us.pgp.net)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011125/08cf5477/attachment.bin


More information about the list mailing list