Re: CRIME hacked web server question

From: Crispin Cowan (crispin@private)
Date: Mon Dec 31 2001 - 12:32:04 PST

  • Next message: Adam Lipson: "RE: CRIME hacked web server question"

    Unless you have an expert in security forensics, I would recomend that 
    you fdisk that machine and restore from backup. Unless you were running 
    something like tripwire and have a complete picture of the machine in a 
    known-clean state, you have no way of knowing what back doors and 
    trojans the attacker may have installed.
    And while you're fdisk'ing, dump IIS/Windows and get a real OS ;-)  Yes, 
    I understand the business reasons why people choose to use windows. I 
    also understand that most of the people who make those high level 
    decisions aren't really aware of the hidden costs they impose on 
    themselves when they do that.
    Adam Lipson wrote:
    >I have had someone come thru and post about 3gb of files on a webserver
    >running fully patched IIS and only port 80 and ftp allowed to access it.
    >The problem is the folders containing the files are names like ".   tagged
    >for nwa" and can't be deleted by windows/dos.  Does anyone know how to
    >delete these folders as I presume this may have happened to someone else on
    >the list. 
    >Thanks and happy new years!
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc.
    Security Hardened Linux Distribution:
    Available for purchase:

    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:05 PDT