[Dshield] IIS hacked - help????

Gasper, Rick rjgasper at kings.edu
Mon Nov 26 14:33:34 GMT 2001


You need to search Microsoft's TechNet for COM1.

There is a way to remove those tagged files by using POSIX (rm and
rmdir) commands. These are included in the resource kit. I don't have
web access to look up the article now, but you can remove those files.


Let me know if you need the files,


Rick Gasper
Manager of Network Services
King's College
Wilkes-Barre PA 18711
Phone (570)-208-5845
Fax     (570)-208-5989
email:  rjgasper at kings.edu



-----Original Message-----
From: Steve Simek [mailto:ssimek at captivasoftware.com] 
Sent: Sunday, November 25, 2001 9:37 AM
To: 'dshield at dshield.org'
Subject: [Dshield] IIS hacked - help????


Major screwup on my part - any help out there?

Purposely opened my FTP to anon for an hour to get a round a security
problem I was having with IIS access, but was hacked fast

Symptoms.
1. "Tagged.com2" directory, files with reserved file names - RM.exe per
microsoft KB is ineffective, since the com2 directory keeps coming up
invalid. Can't clear it thru DOS or Windows UI. 2. I get "error 5,
access denied" when trying to stop IIS admin, ftp or WWW service. I also
get access denied trying to access the msftpsvc1 dir on
winnt\system32\logfiles.

I've seen good answers to similar hacks here before, anyone know what
they've changed on me on how I get control of IIS back?

Steve


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list