RE: CRIME hacked web server question

From: Adam Lipson (AdamL@private)
Date: Wed Jan 02 2002 - 09:28:50 PST

  • Next message: BAIRD Dion E * DAS DOIT: "CRIME Enlighten Me"

    Thank you to everyone who gave such great suggestions and advice.  What
    ended up working was using DIR /X in the directory and then rmdir deleted
    all but one folder that has a file size of 0 bytes.  It would be nice to get
    rid of this folder, but we can live with this solution until we can FDISK
    the machine.  
    
    Thanks again and Happy New Years!  
    Adam
    
    -----Original Message-----
    From: Andrew Plato [mailto:aplato@private]
    Sent: Monday, December 31, 2001 1:32 PM
    To: Adam Lipson
    Cc: crime@private
    Subject: RE: CRIME hacked web server question
    
    
    Windows machines - properly configured - can be very secure and safe.
    The problem is not the software, its that the "out of the box"
    configuration is weak. A properly hardened Win2K box can be very secure.
    
    
    
    
    You can delete these files using NTFS. You need to delete it using its
    "short name".  Try using the command DIR /X in the directory where the
    file is located to get its "short name" which will be something like
    "~1, see http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q101654
    
    Then delete the directory using the short name C:\del "~1
    
    You can also boot into the recovery console and work from there. 
    
    However, before you put the machine live, I would recommend a full
    backup, a through vulnerability scan, virus scan, and disk cleaning
    (defrag, clean out all the free space, etc.) 
    
    If you do FDISK it, make sure to harden up your FTP services if
    possible. 
    
    
    Good luck.
    
    ------------------------------------
    Andrew Plato
    President / Principal Consultant
    Anitian Corporation
    
    (503) 644-5656 office
    (503) 201-0821 cell
    http://www.anitian.com
    Yahoo Messenger: Anitian
    ------------------------------------
    
    
    > -----Original Message-----
    > From: Crispin Cowan [mailto:crispin@private]
    > Sent: Monday, December 31, 2001 12:32 PM
    > To: Adam Lipson
    > Cc: 'crime@private'
    > Subject: Re: CRIME hacked web server question
    > 
    > 
    > Unless you have an expert in security forensics, I would 
    > recomend that 
    > you fdisk that machine and restore from backup. Unless you 
    > were running 
    > something like tripwire and have a complete picture of the 
    > machine in a 
    > known-clean state, you have no way of knowing what back doors and 
    > trojans the attacker may have installed.
    > 
    > And while you're fdisk'ing, dump IIS/Windows and get a real 
    > OS ;-)  Yes, 
    > I understand the business reasons why people choose to use windows. I 
    > also understand that most of the people who make those high level 
    > decisions aren't really aware of the hidden costs they impose on 
    > themselves when they do that.
    > 
    > Crispin
    > 
    > Adam Lipson wrote:
    > 
    > >I have had someone come thru and post about 3gb of files on 
    > a webserver
    > >running fully patched IIS and only port 80 and ftp allowed 
    > to access it.
    > >The problem is the folders containing the files are names 
    > like ".   tagged
    > >for nwa" and can't be deleted by windows/dos.  Does anyone 
    > know how to
    > >delete these folders as I presume this may have happened to 
    > someone else on
    > >the list. 
    > >
    > >Thanks and happy new years!
    > >Adam
    > >
    > 
    > -- 
    > Crispin Cowan, Ph.D.
    > Chief Scientist, WireX Communications, Inc. http://wirex.com
    > Security Hardened Linux Distribution:       http://immunix.org
    > Available for purchase: 
    http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:12 PDT