Thanks everyone! RE: MS IIS 5 server is hacked leaving undeletable folders and files

["Don Phillipe" <donphillipe () hotmail com>]

Thank you everyone!  What an overwhelming response this team has provided
me.  I received over 40 answers to my query and I would like to thank
everyone for your kindly provided time to resolve this.  Below is and
outline of the progression and a brief response to some of the answers I
received.  I do see now that I neglected to state that the volume was NTFS,
so that may have been the reason I received so many answers regarding how to
delete the file with DOS (which didn't work, received "access denied".  The
information about a security tab missing could have been misleading, but in
reality it was from the hacker directories; and although I have limited
experience, I am not sure how a hacker can create NTFS directories without
one, but it happened for sure.

In brief:

- most said to use DOS to delete (received "access denied")
- many pointed to MS document on how to delete (did not have access to
RM.EXE from resource kit and the RMDIR \\.\D:temp\UPLOAD /s also failed with
"access denied")
- tried to FTP back into myself to delete the directory (received "access
denied")
- one suggested to run Norton Utilities to fix (could not get Norton to
install since it is a "server")
- one pointed to in-depth MS Knowledge base and asked how long I looked
(none of MS tips worked either)  Note: I am not sure what I did wrong with
my search argument during this and past times, but most "tips" I find from
these pages are found from Google and the same search on MS search engine
produces nothing.  However, I do feel obligated to answer this question, I
looked about 14 hours (enough for my wife to get really mad for missing some
of Christmas with the in-laws ;-)) but the biggest problem was not knowing
what kind of "illness" I had.  (I know much more now, thanks to everyone
here.)
- since I was able to stop all applications using this virtual drive, I
finally gave up, formatted and restored from last backup
- still trying to figure out if I should go for a complete system re-install
but plan to watch it and the logs for the next weeks (thank goodness for the
noisy hard drive and flashing lights on my hub that alerted me to the
"violation" in the first place

Again, thanks to you all and have a prosperous new year!!!
Don





-----Original Message-----
From: Don Phillipe [mailto:donphillipe () hotmail com] 
Sent: Tuesday, December 31, 2002 11:05 AM
To: 'incidents () securityfocus com'
Subject: MS IIS 5 server is hacked leaving undeletable folders and files

I have a small server I use for my home business and use it mainly for
anyone who needs to send a large file that will not go through email.  I
have an anonymous UPLOAD FTP account that I open up to receive these.  From
time to time I forget and leave this open (I know this is stupid but I
thought I could just erase anything that was put there because the small
drive would fill up real soon).  However, I see someone has hacked into my
server and put a bunch of trash that I cannot delete because when I try to
delete it, Windows 2K says "cannot find the specified file".   I have spent
2 days researching this and cannot find any reference of how to correct
this.   I did find some reference to looking at the security tab for these
files but the security tab is missing!  I found some tools which are
supposed to set owners for files and they don't work on these files.   Here
is the log from where the hacker attacked below.  Any help would be
appreciated.  I don't want to have to rebuild my server if possible:

 

#Software: Microsoft Internet Information Services 5.0

#Version: 1.0

#Date: 2002-12-30 06:38:21

#Fields: time c-ip cs-method cs-uri-stem sc-status 

06:38:21 80.11.214.63 [1]USER anonymous 331

06:38:21 80.11.214.63 [1]PASS anonymous () on the net 230

06:38:24 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
d%D+/divx/rpc-acb.043 550

06:54:31 80.11.214.63 [1]created rpc-acb.043 226

06:54:32 80.11.214.63 [1]sent
/upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
d%D+/divx/rpc-acb.044 550

07:10:38 80.11.214.63 [1]created rpc-acb.044 226

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com