1 day up and my Win2k server was hacked..

[Tripitz]

Gotta love the internet. I started up my FTP server for a friend and I get home 4 hours later and my pc has been hacked. There are wonderful directory structures now in the inetpub directory. Gotta love IIS!

SO, how do I remove the directories that were created? I can't see them from the cmd prompt, but win explorer won't let me delete them. I get a "can't read from source" error.

[ua549]

Have you tried using dir /x to display short names (8.3 format)?

IIS, exspecilly version 6, can be bullet proof, but you've got to set it up that way. I've never had a successful crack of my IIS server. Many have tried as I get very large error logs each day.

[ewitte]

Originally posted by ua549
Have you tried using dir /x to display short names (8.3 format)?

IIS, exspecilly version 6, can be bullet proof, but you've got to set it up that way. I've never had a successful crack of my IIS server. Many have tried as I get very large error logs each day.

Sometimes they create directories with special characteristics and the system will not let you remove them. Usually PRN, LPT1 and my favorite the directory without ANY NTFS permissions... not even the administrator can do anything with it. Out of the 2 times I saw this once I was able to remove everything. The second time I had to move the real data off, format and move it back on. Apparantly there is some utility based off of Unix that fixes them but I've never used it. I touch a good 3-4 sites a day so statistically IIS configured correctly holds up since I've only seen it twice in 2 years.

Eric

[Tripitz]

Originally posted by ewitte


Sometimes they create directories with special characteristics and the system will not let you remove them. Usually PRN, LPT1 and my favorite the directory without ANY NTFS permissions... not even the administrator can do anything with it. Out of the 2 times I saw this once I was able to remove everything. The second time I had to move the real data off, format and move it back on. Apparantly there is some utility based off of Unix that fixes them but I've never used it. I touch a good 3-4 sites a day so statistically IIS configured correctly holds up since I've only seen it twice in 2 years.

Eric

You're right... Unfortunately, I forced admin full rights on everything and still no go. What really scares me is that now the files are GONE. I still cannot delete them. I blocked port 21 access at my firewall and obviously shutdown the IIS and FTP service. I think this will require a format which is very annoying. I don't have enough space elsewhere to put some of the data that I have. (its a large drive)

C:\Inetpub\ftproot\ \ \ \com4\F@#KOFF \con\ScanneD \com7\by \com1\Sh0rZ\com9\TaGGeD \lpt1\by \lpt1\Sh0rZ\con\ \with Neo1907´s PuB-tAgGeR \lpt3\uPPed \com3\BY \aux\Sh0rZ\com3

Like I said, there were more. There was a directory in german indicating that it was "what women want", with 1 .exe file in the directory and what looks to be compressed files. those are now gone without me deleting them.

[ewitte]

Originally posted by Tripitz


You're right... Unfortunately, I forced admin full rights on everything and still no go. What really scares me is that now the files are GONE. I still cannot delete them. I blocked port 21 access at my firewall and obviously shutdown the IIS and FTP service. I think this will require a format which is very annoying. I don't have enough space elsewhere to put some of the data that I have. (its a large drive)

C:\Inetpub\ftproot\ \ \ \com4\F@#KOFF \con\ScanneD \com7\by \com1\Sh0rZ\com9\TaGGeD \lpt1\by \lpt1\Sh0rZ\con\ \with Neo1907´s PuB-tAgGeR \lpt3\uPPed \com3\BY \aux\Sh0rZ\com3

Like I said, there were more. There was a directory in german indicating that it was "what women want", with 1 .exe file in the directory and what looks to be compressed files. those are now gone without me deleting them.

Read my post in the "Technical support q/a" forum

[vertices]

Originally posted by Tripitz

C:\Inetpub\ftproot\ \ \ \com4\F@#KOFF \con\ScanneD \com7\by \com1\Sh0rZ\com9\TaGGeD \lpt1\by \lpt1\Sh0rZ\con\ \with Neo1907´s PuB-tAgGeR \lpt3\uPPed \com3\BY \aux\Sh0rZ\com3

ROFL!!

You got scanned and they created a pub on your machine. People do this and FXP files to it and distribute your addy to everyone in the FXP scene and they all DL files from your stuff.

Heh heh..I use to FTP to addys like that all the time to get "stuff".

Were you set to allow anonymous connects?

[soupnazi]

Someone named "Bill Gates" hacked my Winxp pro desktop computer, right when I was downloading Zonealarm. He commented on my nice sportscar wallpaper, then changed to porn wallpaper.

[Colossus]

You know I never have been hacked on any of my Linux or Windows servers.. Well none that I am aware of

I feel for you... I have about 8 Linux servers live since 94 and they have NEVER been hacked! I have a massive log file of all the attempts but not a single successes to my knowledge..

I have had various Windows NT from 3.51, NT 4.0, 2000, 2003 now online that I manage with my consultant firm.. So far no one made it in

*knocks on wood!!!!*

Im sorry that it had happened... I know it sucks! But it might be a good idea to reinstall.. Since most hackers would leave backdoors, etc to allow them access later..

[Isezumi]

Yet another idea that I wish Microsoft would steal...

Make Admin like Root in *nix. Absoluete authority, no questions asked.

[Vodude]

When they hack, what they really want?
I know they can do all the things but are they really damaging your PC? (e.g. delete your MP3, documents, etc)

Or they just play for fun (Get in your PC and put their name in your PC - Wanna be famous).