Security Incidents mailing list archives

Re: Corrupted Directories, Intrusions, and Nimda Oh MY

From: H C <keydet89 () yahoo com>
Date: Fri, 9 Nov 2001 03:54:31 -0800 (PST)

Drew,

Went on vacation for a week, come back to see that

my email server is

reporting that its comepletely full. Look a little

deeper into it and I

see that people have uploaded tons of MP3's,

Warez, etc..


Sounds like this was more than an email server. 
Sounds like it had IIS and FTP running as well.  What
you describe is indicative of the FTP server being
configured so that the anonymous user has write access
to the drive.

Anyone got a tool that

will allow me to just delete the directory and all

the subdirectories

this stuff is in?


Have you tried "rmdir /s" ?  Also, 'del' or 'erase'
with the /F switch looks like they might be helpful.




__________________________________________________
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Corrupted Directories, Intrusions, and Nimda Oh MY Drew E. Gilkey (Nov 08)
- Re: Corrupted Directories, Intrusions, and Nimda Oh MY Lew E. Lefton (Nov 08)
  - Re: Corrupted Directories, Intrusions, and Nimda Oh MY H C (Nov 09)
- Re: Corrupted Directories, Intrusions, and Nimda Oh MY Mike Lewinski (Nov 09)
- Re: Corrupted Directories, Intrusions, and Nimda Oh MY Mike Shaw (Nov 09)