[Dshield] IIS hacked - help????

Gasper, Rick rjgasper at kings.edu
Mon Nov 26 17:16:02 GMT 2001


While I agree that it is possible that a root kit could have been
installed and that a compromised machine should be formatted and
reinstalled, I don't think the machine was truly compromised. I have
seen this attack  before. What it comes down to, is a script kiddie that
uses an anonymous ftp server as a warez server. 


Here is the link that explains how to do it:

http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt

Bottom line: 
If you open an anonymous ftp server on IIS and the kiddies find it, then
you will end up with a bunch of warez.


Rick


-----Original Message-----
From: Mrcorp [mailto:mrcorp at yahoo.com] 
Sent: Monday, November 26, 2001 11:02 AM
To: dshield at dshield.org
Subject: RE: [Dshield] IIS hacked - help????


Ina situation like this, and a possibility of a rootkit, your best
solution is just to reformat and install your OS fresh.  This may be a
little work, but may save you a lot of time and troubleshooting later
on.

Mrcorp

--- "Gasper, Rick" <rjgasper at kings.edu> wrote:
> One other thing, to remove those files, I had to copy rm to the 
> directory level  above the hacked file names.
> 
> 
> Hth
> 
> Rick Gasper
> Manager of Network Services
> King's College
> Wilkes-Barre PA 18711
> Phone (570)-208-5845
> Fax     (570)-208-5989
> email:  rjgasper at kings.edu
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Steve Simek [mailto:ssimek at captivasoftware.com]
> Sent: Sunday, November 25, 2001 9:37 AM
> To: 'dshield at dshield.org'
> Subject: [Dshield] IIS hacked - help????
> 
> 
> Major screwup on my part - any help out there?
> 
> Purposely opened my FTP to anon for an hour to get a round a security 
> problem I was having with IIS access, but was hacked fast
> 
> Symptoms.
> 1. "Tagged.com2" directory, files with reserved file names - RM.exe 
> per microsoft KB is ineffective, since the com2 directory keeps coming

> up invalid. Can't clear it thru DOS or Windows UI. 2. I get "error 5, 
> access denied" when trying to stop IIS admin, ftp or WWW service. I 
> also get access denied trying to access the msftpsvc1 dir on 
> winnt\system32\logfiles.
> 
> I've seen good answers to similar hacks here before, anyone know what 
> they've changed on me on how I get control of IIS back?
> 
> Steve
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list