Groups | Blog | Home
all groups > iis security > december 2003 >

iis security : Cleaning hacked IIS server


JonR
12/19/2003 3:51:17 PM
I have an IIS server that has thousands of folders and
files that have been posted by a hacker. I have tried
taking ownership, forcing new permissions, cutting off
inheritance and am unable to move or delete the files.
I ran The Checker to scan for trojans and backdoors, but
it found nothing. I have several service packs to
install, but my C: drive is pretty full of junk the
hackers have posted.
Is there a tool or method to clean off files that have
been locked from deleting? NTFS and folder permissions
appear to give Administrators full control, but attempts
to move or delete give error: Access denied...
Thanks for your help,
Joseph
12/19/2003 9:36:26 PM
Try this I hope it works. Reboot in safe mode by pressing
the F8 key during boot. You should be able to delete the
files this way.
Joseph
[quoted text, click to view]
Karl Levinson [x y] mvp
12/20/2003 7:12:52 PM
I doubt that will work.

See here:

http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

Briefly, the attacker probably installed an FTP server like Serv-U FTP on
your computer and used up your internet connection bandwidth and hard drive
space. People think they don't need to secure their home computer and test
systems that don't have any important data, but you still do. Using the 8.3
file name such as by DIR /X is usually part of the solution, in order to
bypass certain reserved words in the file name such as COM1 that Windows
Explorer won't let you manipulate. [Disabling posix support would have
prevented this trick from being used to make the files hard to delete.] See
the links above for more details.

BTW, you not only need to delete the files, you better determine how you
were hacked and what other changes or software was installed on your
computer, or else you'll be hacked again. You were probably hacked by
something very simple to fix, like missing patches, no firewall, and/or you
left IIS FTP service running with the IUSR anonymous user having both read
and write permission to one folder. www.kerio.com and www.sygate.com are
free firewalls.

If you didn't leave the IIS FTP service running, then your computer was
completely compromised / remotely controlled, as new software was installed
on it.


[quoted text, click to view]

jcochran.nospam NO[at]SPAM naplesgov.com
12/22/2003 4:17:52 PM
On Fri, 19 Dec 2003 15:51:17 -0800, "JonR"
[quoted text, click to view]

Best is to wipe and reinstall, but if you're *sure* it was just an
open FTP server, try:

How to Remove Files with Reserved Names in Windows:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;120716
You Cannot Delete a File or a Folder
http://support.microsoft.com/?id=320081

a-chaun NO[at]SPAM NOSPAMmicrosoft.com
1/12/2004 2:01:25 AM
I also wish to add that we typically recommend, along with cert.org, that a
compromised box cannot be fully trusted and that the best practice is to
fdisk, format, and reinstall the OS after having been compromised.

There is some good general advice at:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis security
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn