[Dshield] IIS hacked - help????

Mrcorp mrcorp at yahoo.com
Mon Nov 26 18:29:12 GMT 2001


Rick,

I dont mean to sound like a script kiddie, but the simple fact is, you dont think the machine is
rooted.  In my line of work, we never take chances with thinking a system is secure.  We go on
fact and history and history shows that a machine that has been comrpomised in a certain way may
have been rooted.  

Let me give you an example, When I left my last company, the new administrator removed the
firewall and left directories much like the ones described here with many games on the server. 
The server ran out of space .  The admin cleaned it up, changed the passwords and about a week
later, those same directories appeared again.  He rebuilt the server and has no problems since.  

The bottom line is, if we are not sure, then we have to assume the worst.  But thats my experience
in the high production of financial companies.  At the same time, if we are talking about a home
machine or a machine that, if compromised, isnt a threat if its rooted or doesnt hold confidential
information, then your suggestions may be acceptable.

Simply put, in a security engineer's mind, we have to be sure.  And thinking, no offense, isnt a
sure answer, we have to be 100% sure and safe.

Mrcorp

--- "Gasper, Rick" <rjgasper at kings.edu> wrote:
> While I agree that it is possible that a root kit could have been
> installed and that a compromised machine should be formatted and
> reinstalled, I don't think the machine was truly compromised. I have
> seen this attack  before. What it comes down to, is a script kiddie that
> uses an anonymous ftp server as a warez server. 
> 
> 
> Here is the link that explains how to do it:
> 
> http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt
> 
> Bottom line: 
> If you open an anonymous ftp server on IIS and the kiddies find it, then
> you will end up with a bunch of warez.
> 
> 
> Rick
> 
> 
> -----Original Message-----
> From: Mrcorp [mailto:mrcorp at yahoo.com] 
> Sent: Monday, November 26, 2001 11:02 AM
> To: dshield at dshield.org
> Subject: RE: [Dshield] IIS hacked - help????
> 
> 
> Ina situation like this, and a possibility of a rootkit, your best
> solution is just to reformat and install your OS fresh.  This may be a
> little work, but may save you a lot of time and troubleshooting later
> on.
> 
> Mrcorp
> 
> --- "Gasper, Rick" <rjgasper at kings.edu> wrote:
> > One other thing, to remove those files, I had to copy rm to the 
> > directory level  above the hacked file names.
> > 
> > 
> > Hth
> > 
> > Rick Gasper
> > Manager of Network Services
> > King's College
> > Wilkes-Barre PA 18711
> > Phone (570)-208-5845
> > Fax     (570)-208-5989
> > email:  rjgasper at kings.edu
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: Steve Simek [mailto:ssimek at captivasoftware.com]
> > Sent: Sunday, November 25, 2001 9:37 AM
> > To: 'dshield at dshield.org'
> > Subject: [Dshield] IIS hacked - help????
> > 
> > 
> > Major screwup on my part - any help out there?
> > 
> > Purposely opened my FTP to anon for an hour to get a round a security 
> > problem I was having with IIS access, but was hacked fast
> > 
> > Symptoms.
> > 1. "Tagged.com2" directory, files with reserved file names - RM.exe 
> > per microsoft KB is ineffective, since the com2 directory keeps coming
> 
> > up invalid. Can't clear it thru DOS or Windows UI. 2. I get "error 5, 
> > access denied" when trying to stop IIS admin, ftp or WWW service. I 
> > also get access denied trying to access the msftpsvc1 dir on 
> > winnt\system32\logfiles.
> > 
> > I've seen good answers to similar hacks here before, anyone know what 
> > they've changed on me on how I get control of IIS back?
> > 
> > Steve
> > 
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: 
> > http://www1.dshield.org/mailman/listinfo/dshield
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
> http://geocities.yahoo.com/ps/info1
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1




More information about the list mailing list