Security Incidents mailing list archives
RE: MS IIS 5 server is hacked leaving undeletable folders and files
From: "Willsey, Rob (CCI-Omaha)" <Rob.Willsey () cox com>
Date: Thu, 2 Jan 2003 11:33:28 -0600
Try this. NOTE : POSIX commands are case sensitive. Drives and folders are referenced differently than in MS-DOS. Windows 2000 POSIX commands must use the following usage syntax: posix /c <path\command> [<args>] IE: posix /c c:\rm.exe -d AUX. Usage assumes Rm.exe is either in the path, or the current folder: rm -d // driveletter / path using forward slashes / filename For example, to remove a file or folder named COM1 (located at C:\Program Files\Subdir in this example), type the following command: rm -d "//C/Program Files/Subdir/COM1" To remove a folder and its entire contents (C:\Program Files\BadFolder in this example), type the following command: rm -r "//C/Program Files/BadFolder" Another option is to use a syntax that bypasses the normal reserve-word checks altogether. For example, you can possibly delete any file with a command such as: DEL \\.\ driveletter :\ path \ filename For example: DEL \\.\c:\somedir\aux Rob Willsey Hardware and Software Applications Support Cox Communications Omaha, NE 68154 MCSA, MCSE (402)934-0291 -----Original Message----- From: Don Phillipe [mailto:donphillipe () hotmail com] Sent: Tuesday, December 31, 2002 11:05 AM To: incidents () securityfocus com Subject: MS IIS 5 server is hacked leaving undeletable folders and files I have a small server I use for my home business and use it mainly for anyone who needs to send a large file that will not go through email. I have an anonymous UPLOAD FTP account that I open up to receive these. From time to time I forget and leave this open (I know this is stupid but I thought I could just erase anything that was put there because the small drive would fill up real soon). However, I see someone has hacked into my server and put a bunch of trash that I cannot delete because when I try to delete it, Windows 2K says "cannot find the specified file". I have spent 2 days researching this and cannot find any reference of how to correct this. I did find some reference to looking at the security tab for these files but the security tab is missing! I found some tools which are supposed to set owners for files and they don't work on these files. Here is the log from where the hacker attacked below. Any help would be appreciated. I don't want to have to rebuild my server if possible: #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2002-12-30 06:38:21 #Fields: time c-ip cs-method cs-uri-stem sc-status 06:38:21 80.11.214.63 [1]USER anonymous 331 06:38:21 80.11.214.63 [1]PASS anonymous () on the net 230 06:38:24 80.11.214.63 [1]sent /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.043 550 06:54:31 80.11.214.63 [1]created rpc-acb.043 226 06:54:32 80.11.214.63 [1]sent /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg% d%D+/divx/rpc-acb.044 550 07:10:38 80.11.214.63 [1]created rpc-acb.044 226 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MS IIS 5 server is hacked leaving undeletable folders and files Don Phillipe (Jan 02)
- Re: MS IIS 5 server is hacked leaving undeletable folders and files Duncan Hill (Jan 02)
- RE: MS IIS 5 server is hacked leaving undeletable folders and files Richard Donovan (Jan 02)
- Re: MS IIS 5 server is hacked leaving undeletable folders and files James Turner (Jan 02)
- <Possible follow-ups>
- RE: MS IIS 5 server is hacked leaving undeletable folders and files Willsey, Rob (CCI-Omaha) (Jan 02)