Re: MS IIS 5 server is hacked leaving undeletable folders and files

["Stelian Popescu-Crainic" <stelianp () hotmail com>]

Try using the good old command prompt as administrator (Start->Run->Cmd).
One command that will be usefull is dir /x which will show you the name of 
the folders and files in 8.3 format. Then del and rmdir.






> From: "Don Phillipe" <donphillipe () hotmail com>
> To: <security-basics () securityfocus com>
> Subject: MS IIS 5 server is hacked leaving undeletable folders and files
> Date: Tue, 31 Dec 2002 10:54:34 -0600
> MIME-Version: 1.0
> X-Originating-IP: [12.239.98.0]
> Received: from outgoing3.securityfocus.com ([205.206.231.27]) by 
> mc8-f20.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 31 Dec 
> 2002 12:10:05 -0800
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 
> ACAD5A30EB; Tue, 31 Dec 2002 12:07:28 -0700 (MST)
> Received: (qmail 13171 invoked from network); 31 Dec 2002 16:26:51 -0000
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Message-ID: <005701c2b0ed$4bbab460$850aa8c0@homedesk>
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.4510
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> X-OriginalArrivalTime: 31 Dec 2002 16:54:39.0711 (UTC) 
> FILETIME=[4EE42EF0:01C2B0ED]
> Return-Path: 
> security-basics-return-16979-stelianp=hotmail.com () securityfocus com
>
> I have a small server I use for my home business and use it mainly for
> anyone who needs to send a large file that will not go through email.  I
> have an anonymous UPLOAD FTP account that I open up to receive these.  From
> time to time I forget and leave this open (I know this is stupid but I
> thought I could just erase anything that was put there because the small
> drive would fill up real soon).  However, I see someone has hacked into my
> server and put a bunch of trash that I cannot delete because when I try to
> delete it, Windows 2K says "cannot find the specified file".   I have spent
> 2 days researching this and cannot find any reference of how to correct
> this.   I did find some reference to looking at the security tab for these
> files but the security tab is missing!  I found some tools which are
> supposed to set owners for files and they don't work on these files.   Here
> is the log from where the hacker attacked below.  Any help would be
> appreciated.  I don't want to have to rebuild my server if possible:
>
>
>
> #Software: Microsoft Internet Information Services 5.0
>
> #Version: 1.0
>
> #Date: 2002-12-30 06:38:21
>
> #Fields: time c-ip cs-method cs-uri-stem sc-status
>
> 06:38:21 80.11.214.63 [1]USER anonymous 331
>
> 06:38:21 80.11.214.63 [1]PASS anonymous () on the net 230
>
> 06:38:24 80.11.214.63 [1]sent
> /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
> d%D+/divx/rpc-acb.043 550
>
> 06:54:31 80.11.214.63 [1]created rpc-acb.043 226
>
> 06:54:32 80.11.214.63 [1]sent
> /upload/com3+/lpt2+/com3+/d/%15%20%d%D_FCT+/f/.GR+/h/aux+/j/%15%20%+by+Lorg%
> d%D+/divx/rpc-acb.044 550
>
> 07:10:38 80.11.214.63 [1]created rpc-acb.044 226


_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* 
http://join.msn.com/?page=features/virus