[Dshield] IIS hacked - help????

Keith Smith keith.smith at keiths-place.com
Mon Nov 26 15:14:45 GMT 2001


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Major screwup on my part - any help out there?
> 
> Purposely opened my FTP to anon for an hour to get a round a
> security problem I was having with IIS access, but was hacked fast
> 
> Symptoms.
> 1. "Tagged.com2" directory, files with reserved file names - 
> RM.exe per


What follows is a repost of a resolution from early in the month...

Hope it helps.

Regards,
Keith.


- --------------------


From:	dshield-admin at dshield.org on behalf of DAS [dastoltz at epix.net]
Sent:	Sunday, November 04, 2001 2:08 AM
To:	dshield at dshield.org
Subject:	RE: [Dshield] I've been hacked

This is what finally worked:
 
rmdir \\.\c:\inetpub\ftproot /s
 
Thanks for all the help!

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of Tom Sevy
Sent: Saturday, November 03, 2001 4:05 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] I've been hacked


Try this:
 
ren co?1 cox1
 
 

- -----Original Message-----
From: DAS [mailto:dastoltz at epix.net]
Sent: Saturday, November 03, 2001 9:51 AM
To: dshield at dshield.org
Subject: [Dshield] I've been hacked


 
This question has been dicussed and answered here already, but I'm
still having a problem.
 
I was also hacked, and the following directory was placed on my
server:
 
c:\inetpub\ftproot\0200~\~~tagged and scanned~~\by\com1
 
I did a DIR /X and the com1 directory name does NOT change.
 
So I tried the following:
 
rmdir /s com1
 
But no matter how I try to delete the com1 directory, I get this
error:
 
"The Directory name is invalid"
 
I don't know what else to try.
 
Any Advice?
 
Thanks-


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAJcZL0tREWslyrAEQJfBgCcCXCBHao8NHr0PZlz0wHHVcw6DgsAn2RQ
k1D1Kj5STQ3vDkqpCu4BNvIg
=yGpP
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 1028 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011126/f87e013f/winmail.bin


More information about the list mailing list