[Dshield] IIS hacked - help????

Gasper, Rick rjgasper at kings.edu
Mon Nov 26 14:40:54 GMT 2001


One other thing, to remove those files, I had to copy rm to the
directory level  above the hacked file names.


Hth

Rick Gasper
Manager of Network Services
King's College
Wilkes-Barre PA 18711
Phone (570)-208-5845
Fax     (570)-208-5989
email:  rjgasper at kings.edu







-----Original Message-----
From: Steve Simek [mailto:ssimek at captivasoftware.com] 
Sent: Sunday, November 25, 2001 9:37 AM
To: 'dshield at dshield.org'
Subject: [Dshield] IIS hacked - help????


Major screwup on my part - any help out there?

Purposely opened my FTP to anon for an hour to get a round a security
problem I was having with IIS access, but was hacked fast

Symptoms.
1. "Tagged.com2" directory, files with reserved file names - RM.exe per
microsoft KB is ineffective, since the com2 directory keeps coming up
invalid. Can't clear it thru DOS or Windows UI. 2. I get "error 5,
access denied" when trying to stop IIS admin, ftp or WWW service. I also
get access denied trying to access the msftpsvc1 dir on
winnt\system32\logfiles.

I've seen good answers to similar hacks here before, anyone know what
they've changed on me on how I get control of IIS back?

Steve


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list