[Dshield] IIS hacked - help????

John Sage jsage at finchhaven.com
Sun Nov 25 21:13:49 GMT 2001


Steve:

a google search for "tagged.com2" brings up only a few hits, the 
relevant ones seeming to be warez sites or warez indexes.

A specific example:

http://www.iespana.es/laguiawarez/ftp/Warez/Warez.htm

When you bring up this page, it seems to be listing warez offerings and 
the ftp: url that the files are located at.

When you look at some of these url's, you see something like this:

"ftp://209.164.44.17 / /COM1 /<8>Tagged/COM2 /<8>CoLDBuRn/COM3 /<8>HeRe/"

and another:

"ftp://208.133.24.10/_vti_pvt/.<17spc>Tagged<8spc>~/prn<1spc>/.<3spc>FXP<5spc>By/---===
<1spc>@@<1spc>ArkAoS<1spc>@@<1spc>===---/



At any rate, there may be a number of spaces in the directory name that 
prevents you from deleting it specifically.

Get the box offline, wipe, re-install..

Best wishes.

- John


Steve Simek wrote:

> Major screwup on my part - any help out there?
> 
> Purposely opened my FTP to anon for an hour to get a round a security
> problem I was having with IIS access, but was hacked fast
> 
> Symptoms.
> 1. "Tagged.com2" directory, files with reserved file names - RM.exe per
> microsoft KB is ineffective, since the com2 directory keeps coming up
> invalid. Can't clear it thru DOS or Windows UI.
> 2. I get "error 5, access denied" when trying to stop IIS admin, ftp or WWW
> service. I also get access denied trying to access the msftpsvc1 dir on
> winnt\system32\logfiles.
> 
> I've seen good answers to similar hacks here before, anyone know what
> they've changed on me on how I get control of IIS back?
> 
> Steve
> 






More information about the list mailing list