[Dshield] IIS hacked - help????

Gasper, Rick rjgasper at kings.edu
Tue Nov 27 01:27:22 GMT 2001


I understand where you are coming from, and I agree 1000%, a box that
may be compromised should be rebuilt.
 
What I am saying in this one case, is that because an admin was sloppy,
( I had the same problem!!!) the kiddies took advantage of an open FTP.
They made it difficult remove the files. in this one case I would not
rebuild the server but simply delete the files and close the open FTP.
In my case the box wasn't compromised.
 
I hope you understand where I come from, this thing happens all the time
here. The comp sci students  try to hack a box and I try to stop them.
This first time they did this, I did format and reinstall. Then I got
wise, and watched over their shoulders. literally. I did try to test
this and compromise a box. the only time I was successful was when some
other hole was in place.
 
Rick Gasper 
Manager of Network Services 	 
King's College 	 
Wilkes-Barre PA 18711 	  
Phone (570)-208-5845 	 
Fax (570)-208-5989 	 
email: rjgasper at kings.edu 
 
 

	-----Original Message----- 
	From: Mrcorp 
	Sent: Mon 11/26/2001 1:29 PM 
	To: dshield at dshield.org 
	Cc: 
	Subject: RE: [Dshield] IIS hacked - help????
	
	

	Rick,
	
	I dont mean to sound like a script kiddie, but the simple fact
is, you dont think the machine is
	rooted.  In my line of work, we never take chances with thinking
a system is secure.  We go on
	fact and history and history shows that a machine that has been
comrpomised in a certain way may
	have been rooted. 
	
	Let me give you an example, When I left my last company, the new
administrator removed the
	firewall and left directories much like the ones described here
with many games on the server.
	The server ran out of space .  The admin cleaned it up, changed
the passwords and about a week
	later, those same directories appeared again.  He rebuilt the
server and has no problems since. 
	
	The bottom line is, if we are not sure, then we have to assume
the worst.  But thats my experience
	in the high production of financial companies.  At the same
time, if we are talking about a home
	machine or a machine that, if compromised, isnt a threat if its
rooted or doesnt hold confidential
	information, then your suggestions may be acceptable.
	
	Simply put, in a security engineer's mind, we have to be sure.
And thinking, no offense, isnt a
	sure answer, we have to be 100% sure and safe.
	
	Mrcorp
	
	--- "Gasper, Rick" <rjgasper at kings.edu> wrote:
	> While I agree that it is possible that a root kit could have
been
	> installed and that a compromised machine should be formatted
and
	> reinstalled, I don't think the machine was truly compromised.
I have
	> seen this attack  before. What it comes down to, is a script
kiddie that
	> uses an anonymous ftp server as a warez server.
	>
	>
	> Here is the link that explains how to do it:
	>
	> http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt
	>
	> Bottom line:
	> If you open an anonymous ftp server on IIS and the kiddies
find it, then
	> you will end up with a bunch of warez.
	>
	>
	> Rick
	>
	>
	> -----Original Message-----
	> From: Mrcorp [mailto:mrcorp at yahoo.com]
	> Sent: Monday, November 26, 2001 11:02 AM
	> To: dshield at dshield.org
	> Subject: RE: [Dshield] IIS hacked - help????
	>
	>
	> Ina situation like this, and a possibility of a rootkit, your
best
	> solution is just to reformat and install your OS fresh.  This
may be a
	> little work, but may save you a lot of time and
troubleshooting later
	> on.
	>
	> Mrcorp
	>
	> --- "Gasper, Rick" <rjgasper at kings.edu> wrote:
	> > One other thing, to remove those files, I had to copy rm to
the
	> > directory level  above the hacked file names.
	> >
	> >
	> > Hth
	> >
	> > Rick Gasper
	> > Manager of Network Services
	> > King's College
	> > Wilkes-Barre PA 18711
	> > Phone (570)-208-5845
	> > Fax     (570)-208-5989
	> > email:  rjgasper at kings.edu
	> >
	> >
	> >
	> >
	> >
	> >
	> >
	> > -----Original Message-----
	> > From: Steve Simek [mailto:ssimek at captivasoftware.com]
	> > Sent: Sunday, November 25, 2001 9:37 AM
	> > To: 'dshield at dshield.org'
	> > Subject: [Dshield] IIS hacked - help????
	> >
	> >
	> > Major screwup on my part - any help out there?
	> >
	> > Purposely opened my FTP to anon for an hour to get a round a
security
	> > problem I was having with IIS access, but was hacked fast
	> >
	> > Symptoms.
	> > 1. "Tagged.com2" directory, files with reserved file names -
RM.exe
	> > per microsoft KB is ineffective, since the com2 directory
keeps coming
	>
	> > up invalid. Can't clear it thru DOS or Windows UI. 2. I get
"error 5,
	> > access denied" when trying to stop IIS admin, ftp or WWW
service. I
	> > also get access denied trying to access the msftpsvc1 dir on
	> > winnt\system32\logfiles.
	> >
	> > I've seen good answers to similar hacks here before, anyone
know what
	> > they've changed on me on how I get control of IIS back?
	> >
	> > Steve
	> >
	> >
	> > _______________________________________________
	> > Dshield mailing list
	> > Dshield at dshield.org
	> > To change your subscription options (or unsubscribe), see:
	> > http://www1.dshield.org/mailman/listinfo/dshield
	> >
	> > _______________________________________________
	> > Dshield mailing list
	> > Dshield at dshield.org
	> > To change your subscription options (or unsubscribe), see:
	> http://www1.dshield.org/mailman/listinfo/dshield
	>
	>
	> __________________________________________________
	> Do You Yahoo!?
	> Yahoo! GeoCities - quick and easy web site hosting, just
$8.95/month.
	> http://geocities.yahoo.com/ps/info1
	>
	> _______________________________________________
	> Dshield mailing list
	> Dshield at dshield.org
	> To change your subscription options (or unsubscribe), see:
	> http://www1.dshield.org/mailman/listinfo/dshield
	>
	> _______________________________________________
	> Dshield mailing list
	> Dshield at dshield.org
	> To change your subscription options (or unsubscribe), see:
	http://www1.dshield.org/mailman/listinfo/dshield
	
	
	__________________________________________________
	Do You Yahoo!?
	Yahoo! GeoCities - quick and easy web site hosting, just
$8.95/month.
	http://geocities.yahoo.com/ps/info1
	
	_______________________________________________
	Dshield mailing list
	Dshield at dshield.org
	To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
	

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 9404 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011126/4b2f9353/attachment.bin


More information about the list mailing list