RE: CRIME hacked web server question

From: Andrew Plato (aplato@private)
Date: Mon Dec 31 2001 - 13:32:03 PST

  • Next message: Alan: "Re: CRIME hacked web server question"

    Windows machines - properly configured - can be very secure and safe.
    The problem is not the software, its that the "out of the box"
    configuration is weak. A properly hardened Win2K box can be very secure.
    You can delete these files using NTFS. You need to delete it using its
    "short name".  Try using the command DIR /X in the directory where the
    file is located to get its "short name" which will be something like
    "~1, see;EN-US;Q101654
    Then delete the directory using the short name C:\del "~1
    You can also boot into the recovery console and work from there. 
    However, before you put the machine live, I would recommend a full
    backup, a through vulnerability scan, virus scan, and disk cleaning
    (defrag, clean out all the free space, etc.) 
    If you do FDISK it, make sure to harden up your FTP services if
    Good luck.
    Andrew Plato
    President / Principal Consultant
    Anitian Corporation
    (503) 644-5656 office
    (503) 201-0821 cell
    Yahoo Messenger: Anitian
    > -----Original Message-----
    > From: Crispin Cowan [mailto:crispin@private]
    > Sent: Monday, December 31, 2001 12:32 PM
    > To: Adam Lipson
    > Cc: 'crime@private'
    > Subject: Re: CRIME hacked web server question
    > Unless you have an expert in security forensics, I would 
    > recomend that 
    > you fdisk that machine and restore from backup. Unless you 
    > were running 
    > something like tripwire and have a complete picture of the 
    > machine in a 
    > known-clean state, you have no way of knowing what back doors and 
    > trojans the attacker may have installed.
    > And while you're fdisk'ing, dump IIS/Windows and get a real 
    > OS ;-)  Yes, 
    > I understand the business reasons why people choose to use windows. I 
    > also understand that most of the people who make those high level 
    > decisions aren't really aware of the hidden costs they impose on 
    > themselves when they do that.
    > Crispin
    > Adam Lipson wrote:
    > >I have had someone come thru and post about 3gb of files on 
    > a webserver
    > >running fully patched IIS and only port 80 and ftp allowed 
    > to access it.
    > >The problem is the folders containing the files are names 
    > like ".   tagged
    > >for nwa" and can't be deleted by windows/dos.  Does anyone 
    > know how to
    > >delete these folders as I presume this may have happened to 
    > someone else on
    > >the list. 
    > >
    > >Thanks and happy new years!
    > >Adam
    > >
    > -- 
    > Crispin Cowan, Ph.D.
    > Chief Scientist, WireX Communications, Inc.
    > Security Hardened Linux Distribution:
    > Available for purchase:

    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:10 PDT