[Dshield] IIS hacked - help????

Keith Smith keith.smith at keiths-place.com
Mon Nov 26 15:14:45 GMT 2001

Hash: SHA1

> Major screwup on my part - any help out there?
> Purposely opened my FTP to anon for an hour to get a round a
> security problem I was having with IIS access, but was hacked fast
> Symptoms.
> 1. "Tagged.com2" directory, files with reserved file names - 
> RM.exe per

What follows is a repost of a resolution from early in the month...

Hope it helps.


- --------------------

From:	dshield-admin at dshield.org on behalf of DAS [dastoltz at epix.net]
Sent:	Sunday, November 04, 2001 2:08 AM
To:	dshield at dshield.org
Subject:	RE: [Dshield] I've been hacked

This is what finally worked:
rmdir \\.\c:\inetpub\ftproot /s
Thanks for all the help!

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of Tom Sevy
Sent: Saturday, November 03, 2001 4:05 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] I've been hacked

Try this:
ren co?1 cox1

- -----Original Message-----
From: DAS [mailto:dastoltz at epix.net]
Sent: Saturday, November 03, 2001 9:51 AM
To: dshield at dshield.org
Subject: [Dshield] I've been hacked

This question has been dicussed and answered here already, but I'm
still having a problem.
I was also hacked, and the following directory was placed on my
c:\inetpub\ftproot\0200~\~~tagged and scanned~~\by\com1
I did a DIR /X and the com1 directory name does NOT change.
So I tried the following:
rmdir /s com1
But no matter how I try to delete the com1 directory, I get this
"The Directory name is invalid"
I don't know what else to try.
Any Advice?

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 1028 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011126/f87e013f/winmail.bin

More information about the list mailing list