[Dshield] IIS hacked - help????
jsage at finchhaven.com
Sun Nov 25 21:13:49 GMT 2001
a google search for "tagged.com2" brings up only a few hits, the
relevant ones seeming to be warez sites or warez indexes.
A specific example:
When you bring up this page, it seems to be listing warez offerings and
the ftp: url that the files are located at.
When you look at some of these url's, you see something like this:
"ftp://220.127.116.11 / /COM1 /<8>Tagged/COM2 /<8>CoLDBuRn/COM3 /<8>HeRe/"
At any rate, there may be a number of spaces in the directory name that
prevents you from deleting it specifically.
Get the box offline, wipe, re-install..
Steve Simek wrote:
> Major screwup on my part - any help out there?
> Purposely opened my FTP to anon for an hour to get a round a security
> problem I was having with IIS access, but was hacked fast
> 1. "Tagged.com2" directory, files with reserved file names - RM.exe per
> microsoft KB is ineffective, since the com2 directory keeps coming up
> invalid. Can't clear it thru DOS or Windows UI.
> 2. I get "error 5, access denied" when trying to stop IIS admin, ftp or WWW
> service. I also get access denied trying to access the msftpsvc1 dir on
> I've seen good answers to similar hacks here before, anyone know what
> they've changed on me on how I get control of IIS back?
More information about the list