Question

Please help my IIS server has been hacked.

Asked by: ApexTx

Somebdy has got on my web server and placed movies on the hard drive. I can't erase them and I can't do nothing with them. I don't want to have to reinstall, that would be bad :( I have all weekend to figure this out but if it's not fixed by monday I will have to inform my boss.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-01-31 at 17:04:42ID20492075
Tags

hacked

,

iis

,

my

,

server

,

has

Topic

Miscellaneous Security

Participating Experts
6
Points
245
Comments
19

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. hacking
    Hello, This may be an uncomfortable question to answer for some, but I need to ask anyway. I have until monday to learn how to hack. The purpose of this is to pass tests, and gain generall knowledge of computer security to get into a certain unit which deals with computer s...
  2. Lotus Notes: Need Help with Spying Boss
    I recently discovered that (I'm pretty sure) my boss has set my computer up to email something periodically from my computer to his. I think this because I was looking at a list of running processes once using TaskInfo and saw a Lotus Notes Mailto: process with his email addr...
  3. Training the boss
    Hello excel gurus! I'm a newbie to this site but average in my use of excel. I would like some personal advice for good starting points. Although there are lots of things about excel that I haven't mastered, the one that I would like to master at this point is the fx (func...
  4. Monday morning blues.
    Good day all you experts, I hope your Monday has been better than mine. This morning when sitting down for my morning coffee and reading my email I noticed that our firewall was reporting an awful lot of errors. When inpecting the logs, I saw that there were 3 of our servers...
  5. IIS Hacked
    We site hacking I have a site which is published on a windows 2003 standard with IIS 6, the server was on the publich with a real IP, two days back I received a call that one link in my site is hacked and its pointing to an external image which says that the site has been h...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: TooKoolKrisPosted on 2003-01-31 at 17:20:54ID: 7857183

You might not have to re-install, but then again you might. There's no telling what was put on this server and how the person gained access. I would come to grips with the thought that this server will probably need to be rebuilt. Do you have any AV running on this pc? Let's see if there are any known trojans as well.

Download this tool and lets see if it finds anything,

http://www.lockdowncorp.com/bots/downloadswatit.html

Maybe we can get lucky and it will be a common one or something that can be repaired. Let me know what happens.

TKK

 

by: ApexTxPosted on 2003-02-01 at 15:03:23ID: 7860760

Ok I've been trying different things. That tool didn't come up with anyting on my machine but it was cool to have none the less.
It is very clear that no matter what I do I'm not going to be able to get this stuff off my computer. Norton AV hasn't found anything either and I updated to the latest definitions as well.
Thanks for the quick reply as well. What would you recommend for the future so that after I rebuild this server it wont happen again. How can I be sure that nothing on my backup tapes is infected with something?

 

by: TooKoolKrisPosted on 2003-02-01 at 18:13:25ID: 7861243

The best way to make sure that you don't get anything from your backup tapes is to make sure that you have your AV running whenever you do any restores from tapes. Norton will scan any file that is being copied to the drive from the backup tape this way.

One thing I would recommend is putting a firewall infront of the server and properly configuring IIS for security.

HOW TO: Perform Security Planning for Internet Information Services 5.0
http://support.microsoft.com/default.aspx?scid=kb;en-us;311184

HOW TO: Use the Security Planning Tool in Internet Information Services (IIS)
http://support.microsoft.com/default.aspx?scid=kb;en-us;315673

HOW TO: Use Internet Explorer to Verify Your IIS Security Configuration
http://support.microsoft.com/default.aspx?scid=kb;en-us;314506

HOW TO: Install and Use the IIS Security "What If" Tool
http://support.microsoft.com/default.aspx?scid=kb;en-us;229694

The Twenty Most Critical Internet Security Vulnerabilities
http://www.sans.org/top20/

Basic IIS 5.0 Default Web Server Security
http://www.sans.org/rr/web/IIS5_sec.php

Getting my point here? You can never read too much when it comes to security. These should get you started.

TKK

 

by: hans_larsonPosted on 2003-02-01 at 21:46:49ID: 7861795

I have had this happeded to me too. They upload movie files to you FTP site and you cannot delete the folders or the files, right? They called it "Tagged"

The reason you cannot delete these files is because they contain reserved Windows keywords, like com1, com2 etc.

Here is your answer, follow this document:

http://support.microsoft.com/default.aspx?scid=KB;en-us;q120716

** The best way to prevent this from happening to you again, is to not allow anonymous access to your ftp sites with write permission.

Let me know if you need more help with this.

- Hans

 

by: hans_larsonPosted on 2003-02-01 at 21:52:53ID: 7861804

I forgot to mention... This kind of attack typicaly does not leave a payload. You don't have to worry about any virus, worm or backdoor left behind. Although, it is not a bad idea to do a full virus scan and install all the latest IIS patches (SP3 + post SP3).

Also download and use the IIS Lockdown tool. You can download it from:

http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp

- Hans

 

by: ApexTxPosted on 2003-02-03 at 16:52:48ID: 7871545

Thanks for the help TKK, I had to go ahead and rebuild. I've learned quite a bit going through this mess and I don't think I can totaly keep them out but I feel like it's not going to be easy this time around either. Thanks for the links, good information.

 

by: RaisorPosted on 2003-02-20 at 05:01:14ID: 7986922

Hi,

This is what happend to me:

http://www.hermitscave.org/forum/index.php?final_uri=.%2Fdiscussion.php%3Fmsg%3D7229.1

There I found answers about WAREZ directories:

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14543

And this helped me a lot not to get the same problem again:

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

Best regards, Raisor

 

by: OttaPosted on 2003-02-20 at 08:15:55ID: 7987702

> This kind of attack typicaly does not leave a payload.
> You don't have to worry about any virus, worm or backdoor left behind.

Do you want to bet your job on that statement?
The hacker(s) "owned" your computer,
and unless you want to spent about a week
doing a forensic analysis of your computer,
you cannot prove that there are no "back-doors".
(What if the hacker configured and started the
TELNET-server on your computer -- the hacker
can get a command-line prompt on your computer
by simply entering:  telnet your.system 23456
if the TELNET-server is "listening" on port 23456.

You _must_ rebuild, and patch, if you want to keep your job.

 

by: hans_larsonPosted on 2003-02-20 at 11:04:26ID: 7988654

Otta,

It sounds like you are holding on to dear life to your job. It's the way of the uneducated, uninformed and paranoid.

To answer your question, I will bet my job on my statement. As a matter of fact, I will bet my company on that statement.

Read the rest of the post and you will see “Although, it is not a bad idea to do a full virus scan and install all the latest IIS patches (SP3 + post SP3)."

The first time we ran into this problem, we analyzed the system for 9-days. 4 guys working on it, 2 of them specialists and well known and respected in the industry with more than 10-years of experience. I am sure that is way more than your limited knowledge.

"(What if the hacker configured and started the
TELNET-server on your computer -- the hacker
can get a command-line prompt on your computer
by simply entering:  telnet your.system 23456
if the TELNET-server is "listening" on port 23456."

Above is your ignorant statement... My dear friend, you can telnet to anything if the server is listening for connections on a open connection. What are you saying? Next you are probably going to tell me be careful and patch your web server because someone can connect to it on port 80?

I think you got the message. Now go write batch files or send an email.

Yours truly,

Hans

 

by: OttaPosted on 2003-02-21 at 21:58:31ID: 7997605

> Above is your ignorant statement

Ignorant -- how ignorant of you to use such
"non-professional" language in this professional forum.

I have seen "hacked" Windows 2000 servers.
The hacker modified the Windows Registry to start
the TELNET-server on a non-standard port.
So, anytime the hacker wanted, he/she could just
TELNET to that port, and get a command-line prompt,
namely 'C:\', with full administrative privileges
to once-again "hack" into the computer.





> we analyzed the system for 9-days.
> 4 guys working on it,
> 2 of them specialists and well known and respected
> in the industry with more than 10-years of experience.

It must be wonderful to have the time and resources
to waste 4 times 9 days times 7 hours times $50 per hour,
namely $12600, to do a forensic investigation.

> I am sure that is way more than your limited knowledge.

Even with my limited knowledge, I can predict that after
spending $12600, you still would decide to re-format and
then re-install everything.

My method would "save" my employer over $12 thousand dollars.

Any cost/benefit analyst would probably give me a promotion
for _initially_ making the _only_ correct decision,
namely to rebuild.

 

by: OttaPosted on 2003-02-21 at 22:07:07ID: 7997625

> I have had this happen to me
> They upload movie files to you FTP site
> and you cannot delete the folders or the files, right?

Use the 'rmdir' with the '/?' keyword to discover
the "secret" option to delete _BOTH_ the directory
_AND_ all the files (no matter what names they have)
inside that directory.

> They called it "Tagged"

No, you're very wrong.  

A "tagged" site contains a directory created by the
hacker, and the name of the directory contains the
nick-name of the hacker, and the time-stamp of the
directory proves that the hacker was the _FIRST_
hacker to "find" your very-insecure server.

Compare it to the first persons to climb Mount Everest;
they "tagged" the mountain, by leaving flags from their
countries on the top of the mountain, so that the next
person to complete the ascent would find their "tag".

 

by: TexArcanaPosted on 2003-03-06 at 06:56:24ID: 8080451

Sounds to me like someone needs to switch from Micro$oft swiss cheese to a Linux product.

 

by: OttaPosted on 2003-03-06 at 09:03:05ID: 8081618

> switch to Linux:

well-known Linux vulnerabilities:
* http://www.sans.org/y2k/ramen.htm ("Ramen")
* http://www.sans.org/y2k/adore.htm ("Adore")
* http://www.sans.org/y2k/t0rn.htm  ("t0rn root-kit")
* http://www.incidents.org/react/lion.php ("l10n")

'nuff said.

 

by: tnguyPosted on 2003-03-09 at 18:14:27ID: 8100127

Hans and Otta,

May I request that you two meet somewhere _else_ to continue your verbal assaults? This type of exchange is not _Expert_, lowers the apparant (to visitors) quality and professionalism of these forums, and frankly, makes me sick!

tnguy

 

by: hans_larsonPosted on 2003-03-09 at 18:48:14ID: 8100237

Thanks for voicing your opinion. ApexTx's question has been answered - he selected an answer and we all said what we wanted to. Are you looking for browny points?

If any comunity support users see this, please give this guy 5-points to shut him up.

Who are you?? Where did you come from?? You're 5-weeks late!

Everyone that commented on this question is getting an email everytime you post something here. Quite frankly I'm getting sick receiving email related to this.

Tnguy, find something better to do with your time!

 

by: TexArcanaPosted on 2003-03-11 at 16:38:07ID: 8115718


Otta sez:
"well-known Linux vulnerabilities:
* http://www.sans.org/y2k/ramen.htm ("Ramen")
* http://www.sans.org/y2k/adore.htm ("Adore")
* http://www.sans.org/y2k/t0rn.htm ("t0rn root-kit")
* http://www.incidents.org/react/lion.php ("l10n")

'nuff said."


Hm, 4 vulnerabilities versus about 10,000, and you have to pay for the priveledge to own the one with 10,000 and endure the snooping they do.  hm.  I don't know about you, but the free one is still the better deal, and way more reliable.  

'nuff said.

out.

 

by: OttaPosted on 2003-03-11 at 22:36:11ID: 8117372

> 4 vulnerabilities versus about 10,000,

I'm surprised that you didn't mention
http://WWW.TrustWorthyComputing.com
in your rant.  :-)

 

by: TexArcanaPosted on 2003-03-12 at 07:10:59ID: 8119942

Who needs to??  The evidence is there.  Back when I got broadband (1997), I got hacked because my Windows box was vulnerable as hell.  I tried the Win98 connection sharing, but that was a failed bit as well, because it wasn't reliable at all.  So I drug out the old PackardBell P90, loaded Red Hat 5.x, set it up as a firewall, and that box ran constantly and uninterrupted until last month, when I swapped it for a Smoothwall box.  If that firewall was a Windows box, we *all* know it would've been hacked the second someone figured it out.  It would've crashed constantly, and would've bee infected almost immediately.  

So you tell me, which is the better OS?  Especially given M$'s penchant for snooping, compromising security, and monopolistic actions?  Can you *really* trust M$ to deliver a product that protects your privacy and rights, especially in the face of *their* profits??

I think we all know *that* answer!

 

by: OttaPosted on 2003-03-12 at 08:06:14ID: 8120371

--Microsoft and Red Hat Earn Security Awards
Microsoft earned recognition in three categories of SANS 2003
Information Security Leadership Awards, including automated patching
and training programmers to write safer code. Red Hat also was
recognized for automated patch notification.

http://www.computerworld.com/securitytopics/security/story/0,10801,79164,00.html

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...