[Dshield] IIS hacked - help????

Sean Graham seangra at yahoo.com
Sun Nov 25 19:44:51 GMT 2001

First of all, can you disconnect the machine from the network?

I don't know if rebooting is a good idea, but if you can do that, go into a 
recovery console and see if you can delete the files/directories from 
there, or at the very least rename them.  Set the IIS service to "manual" 
for bootup so you can reboot without it running to finish cleaning up the 
mess.  You might need to change the policies for recovery console to allow 
you to access all files/directories, as by default you can't do that.

and by DOS you mean "cmd.exe" or actually via windws98 or something?

is the user that you're using to change these things still an administrator?

right click on the directories that you can't get access to and change the 
security permissions.  if you are still an administrator you can do that.

good luck.

-- Sean

At 06:37 AM 11/25/2001 -0800, you wrote:
>Major screwup on my part - any help out there?
>Purposely opened my FTP to anon for an hour to get a round a security
>problem I was having with IIS access, but was hacked fast
>1. "Tagged.com2" directory, files with reserved file names - RM.exe per
>microsoft KB is ineffective, since the com2 directory keeps coming up
>invalid. Can't clear it thru DOS or Windows UI.
>2. I get "error 5, access denied" when trying to stop IIS admin, ftp or WWW
>service. I also get access denied trying to access the msftpsvc1 dir on
>I've seen good answers to similar hacks here before, anyone know what
>they've changed on me on how I get control of IIS back?
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 

Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

More information about the list mailing list