PDA

View Full Version : Re: Hacker "scanned" my webserver

Chris
Did this happen in your ftp directories or wwwroot?
I cannot offer any help, but I had this happen with my ftproot in IIS and I
was never was able to figure out how to get rid of the invalid directories.

-Chris

"Dr. Bob" wrote in message
news:26D4BAB4-96C2-43F4-AC40-0485BC860BD1@microsoft.com...
> I have a Win2K webserver running IIS that was "scanned" by a hacker. I now
have files/folders with non-printing characters in their names. When I try
to delete them, I get "file not found" or "cannot read from source file or
disk" errors. Any way to fix this problem? Also, what can I do to keep this
from happening again? Thanks for your help.
> Bob


=?Utf-8?B?RHIuIEJvYg==?=
It happened in the wwwroot directory. I've copied the good files/folders to another directory and pointed the webserver there for now but so far it looks like I'll have to reformat to get rid of these files?? I used to be able to use Norton Utilities diskedit to fix this kind of problem but I only have an old copy that doesn't work with ntfs. I thought for sure there had to be some shareware out there that would do the same thing

Steven L Umbach
I am not an IIS guru but this may help and you may also want to post in the
IIS security newsgroup where the gurus hang out. The link below may help on
how to delete difficult files.

http://support.microsoft.com/?kbid=320081

You may also want to consider disabling posix on your server and running the
IIS Lockdown Tool, but only after a full backup including the System State
and saving your IIS configuration via IIS Management Console. The links
below may be helpful. --- Steve

http://www.microsoft.com/technet/security/tools/locktool.mspx
http://www.securityfocus.com/infocus/1755
http://support.microsoft.com/default.aspx?scid=kb;en-us;101270

"Dr. Bob" wrote in message
news:186D62B5-79D0-4B21-BC2E-DE46A883EE0F@microsoft.com...
> It happened in the wwwroot directory. I've copied the good files/folders
to another directory and pointed the webserver there for now but so far it
looks like I'll have to reformat to get rid of these files?? I used to be
able to use Norton Utilities diskedit to fix this kind of problem but I only
have an old copy that doesn't work with ntfs. I thought for sure there had
to be some shareware out there that would do the same thing.
>


Dr. Bob
well, I tried all those links. I now have the server
behind a firewall, which is where it should have been in
the first place - my bad. Now I need a solution - not a
spanking. I'm just trying to not have to reformat this
drive. I went to the scripts that were listed and tried to
rename, delete, move, etc the directory/files with
vbscripting but I keep getting "path not found" on the
hacked directories. On one of them, it says, "..t4gged by
Dragon 1.09930610134414 E+37..: Cannot find the specified
file." where the dots represent non-printing characters.
Without some kind of hex editor for the disk, I can't find
out what those characters are in order to delete the file.
Can the disk be edited with the microsoft debugger? Does
anyone know of a shareware/freeware disk hex editor? It
would seem that all that needs to be done is to hex edit
the file name to something w32 can recognize. Am I
oversimplifying this? Has anyone else had this happen?

>-----Original Message-----
>I am not an IIS guru but this may help and you may also
want to post in the
>IIS security newsgroup where the gurus hang out. The link
below may help on
>how to delete difficult files.
>
>http://support.microsoft.com/?kbid=320081
>
>You may also want to consider disabling posix on your
server and running the
>IIS Lockdown Tool, but only after a full backup including
the System State
>and saving your IIS configuration via IIS Management
Console. The links
>below may be helpful. --- Steve
>
>http://www.microsoft.com/technet/security/tools/locktool.m
spx
>http://www.securityfocus.com/infocus/1755
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;101270
>
>"Dr. Bob" wrote in
message
>news:186D62B5-79D0-4B21-BC2E-DE46A883EE0F@microsoft.com...
>> It happened in the wwwroot directory. I've copied the
good files/folders
>to another directory and pointed the webserver there for
now but so far it
>looks like I'll have to reformat to get rid of these
files?? I used to be
>able to use Norton Utilities diskedit to fix this kind of
problem but I only
>have an old copy that doesn't work with ntfs. I thought
for sure there had
>to be some shareware out there that would do the same
thing.
>>
>
>
>.
>