Security Incidents mailing list archives

Re: MS IIS 5 server is hacked leaving undeletable folders and files

From: "James Turner" <jeturner32 () hotmail com>
Date: Thu, 2 Jan 2003 17:41:57 -0000

Don Phillipe <donphillipe () hotmail com> wrote:

I have a small server I use for my home business and use it mainly for
anyone who needs to send a large file that will not go through email.
I have an anonymous UPLOAD FTP account that I open up to receive
these.  From time to time I forget and leave this open (I know this
is stupid but I thought I could just erase anything that was put
there because the small drive would fill up real soon).  However, I
see someone has hacked into my server and put a bunch of trash that I
cannot delete because when I try to delete it, Windows 2K says
"cannot find the specified file".   I have spent 2 days researching
this and cannot find any reference of how to correct this.   I did
find some reference to looking at the security tab for these files
but the security tab is missing!  I found some tools which are
supposed to set owners for files and they don't work on these files.
Here is the log from where the hacker attacked below.  Any help would
be appreciated.  I don't want to have to rebuild my server if
possible:

[log snipped]
How hard did you look? The MS Knowledgebase has several articles on files
that you may have problems deleting, try
http://support.microsoft.com/default.aspx?scid=kb;en-us;320081 or
http://support.microsoft.com/default.aspx?scid=kb;en-us;120716 (both from
http://search.support.microsoft.com/search/default.aspx?Catalog=LCID%3D2057%
26CDID%3DEN-US-KB%26PRODLISTSRC%3DON&withinResults=false&QuerySource=gsfxAdv
ancedSearch_Query&Product=win2000&Queryc=delete+files&Query=delete+files&Key
wordType=ALL&maxResults=150&Titles=false&numDays= )
(watch out for url wrapping)

-- 
James

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

MS IIS 5 server is hacked leaving undeletable folders and files Don Phillipe (Jan 02)
- Re: MS IIS 5 server is hacked leaving undeletable folders and files Duncan Hill (Jan 02)
- RE: MS IIS 5 server is hacked leaving undeletable folders and files Richard Donovan (Jan 02)
- Re: MS IIS 5 server is hacked leaving undeletable folders and files James Turner (Jan 02)
- <Possible follow-ups>
- RE: MS IIS 5 server is hacked leaving undeletable folders and files Willsey, Rob (CCI-Omaha) (Jan 02)