Unless you have an expert in security forensics, I would recomend that you fdisk that machine and restore from backup. Unless you were running something like tripwire and have a complete picture of the machine in a known-clean state, you have no way of knowing what back doors and trojans the attacker may have installed. And while you're fdisk'ing, dump IIS/Windows and get a real OS ;-) Yes, I understand the business reasons why people choose to use windows. I also understand that most of the people who make those high level decisions aren't really aware of the hidden costs they impose on themselves when they do that. Crispin Adam Lipson wrote: >I have had someone come thru and post about 3gb of files on a webserver >running fully patched IIS and only port 80 and ftp allowed to access it. >The problem is the folders containing the files are names like ". tagged >for nwa" and can't be deleted by windows/dos. Does anyone know how to >delete these folders as I presume this may have happened to someone else on >the list. > >Thanks and happy new years! >Adam > -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:05 PDT