IIS FTP compromise is actually quite a common and frequent problem. You basically have three problems to deal with here: 1) Until you pull the network connection wire, you will make no progress. That is step one. 2) These files and directories are normally not easy to delete. You will see some advice and references that state they can be successfully removed with "POSIX Compliant Tools". And yes, sometimes they are successful. However, I recommend you put the money out and buy a copy of WinHex. It will never fail. Follow these instructions: "Search for all occurrences of the filenames you need to dispose of using Search | Find Text, in Unicode, and replace all of them with any other filename. Schedule CHKDSK to run on that partition at next reboot. Reboot the machine. CHKDSK will then delete the files and restore the disk space back to free space. 3) Chances of identifying and eliminating all the hacked files is very slim at this point in time is very slim. Consider reformatting and re-installing from last know good (uncompromised) backup. Good luck. This is a tough spot to be in. -----Original Message----- From: rbelchez@show-net.net [mailto:rbelchez@show-net.net] Sent: Wednesday, February 12, 2003 5:21 PM To: incidentsat_private Subject: ftp server compromised Dear All, Pls advise..also apologize if this problem have already been posted here before.) huge amount of compressed movies have been uploaded on our FTP server w/out our consent. I tried to delete via windows explorer and DOS but the system is just giving error and files cannot be deleted. Kindly please advise, how to manualy delete this files, and also to protect our server from this to happen again. As per the IIS logs, he was able to login via anonymous and uploaded files. I know I have disabled the anonymous on the FTP but for some reason the hacker seems to have workaround on this. (copied here is the server logs .. pls advise...) 00:35:41 (IP withheld) [49]USER anonymous 331 00:35:41 (IP withheld) [49]PASS anonymousat_private 230 00:36:39 (IP withheld)[50]USER anonymous 331 00:36:39 (IP withheld)[50]PASS anonymousat_private 230 00:36:44 (IP withheld)[50] sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 ,74069437262937E+35++/Filled+By/xvid-mnlght-subs-nl-aen.rar 550 00:36:49 (IP withheld) [50]created xvid-mnlght-subs-nl-aen.rar 226 00:36:59 (IP withheld)[51]USER anonymous 331 00:37:00 (IP withheld)[51]PASS anonymousat_private 230 00:39:10 (IP withheld)[50] sent /webmail+/++prn0+++++++/++prn0++++++++/++++con2+++++/++The+We@sel+3 ,74069437262937E+35++/Filled+By/--+==+[+++2oo.ooo++++]+==+-- 550 00:39:23 (IP withheld)[50]created --+==+[+++2oo.ooo++++]+==+-- 226 00:51:49 (IP withheld)[49]closed - 421 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 21:12:01 PST