[Dshield] IIS hacked - help????

John Sage jsage at finchhaven.com
Sun Nov 25 21:13:49 GMT 2001


a google search for "tagged.com2" brings up only a few hits, the 
relevant ones seeming to be warez sites or warez indexes.

A specific example:


When you bring up this page, it seems to be listing warez offerings and 
the ftp: url that the files are located at.

When you look at some of these url's, you see something like this:

" / /COM1 /<8>Tagged/COM2 /<8>CoLDBuRn/COM3 /<8>HeRe/"

and another:


At any rate, there may be a number of spaces in the directory name that 
prevents you from deleting it specifically.

Get the box offline, wipe, re-install..

Best wishes.

- John

Steve Simek wrote:

> Major screwup on my part - any help out there?
> Purposely opened my FTP to anon for an hour to get a round a security
> problem I was having with IIS access, but was hacked fast
> Symptoms.
> 1. "Tagged.com2" directory, files with reserved file names - RM.exe per
> microsoft KB is ineffective, since the com2 directory keeps coming up
> invalid. Can't clear it thru DOS or Windows UI.
> 2. I get "error 5, access denied" when trying to stop IIS admin, ftp or WWW
> service. I also get access denied trying to access the msftpsvc1 dir on
> winnt\system32\logfiles.
> I've seen good answers to similar hacks here before, anyone know what
> they've changed on me on how I get control of IIS back?
> Steve

More information about the list mailing list