IIS 5 was hacked!!!!!!!!!!!!!!!!!!!!

howdy looks like someone or something got into my box

I noticed references to cmd.exe in my log files also my log files are now encrypted and a file was added to my web root and attempts to auto download when the default page is opened. has anyone had this happen if so how can i fix all this

Who is Participating?

Improve company productivity with a Business Account.Sign Up

jhanceConnect With a Mentor Commented:
There are a number of exploits on this and they all are related to cross-directory traversal using unicode or bogus characters in the URL.  These exploits are well known and I'm surprised your system lasted this long.  NIMDA has been around since Sept 2001 and has infected 1000s and 1000s of servers.  I see it's activity constantly in my server logs.

Microsoft has a rollup security patch for IIS5/W2K that you should have installed.

Since you don't know for sure what happened and perhaps cannot recover your encrypted logs, I'd suggest drastic action.

1) Immediately remove this system from all networks by physically unplugging its cable.  Prevent further damage to this system and possible attacks on other systems.

2) Check all other systems on your network for any sign of tampering.  Remove them from the network also if they appear to be compromised in any way.

3) I'd make an image of the hard drive(s) to a CD-R or tape and then FORMAT the hard drive(s) and do a clean install of NT.  If you can't image the drives, just remove them and install new drives.  This time, be sure you get the long-ago released security patches that stop the CMD.EXE exploit.

4) Carefully recover any data from your backup images.  Never pull any EXE, COM, BAT, DLL, ASP, or other potentially compromised file from your backup.  Basically anything that has executable content is a danger!!

Good luck.  There are no shortcuts here.  But if you try to take any you'll never be sure you are safe.
hilltopAuthor Commented:
It appears upon a bit of research this was the W32/NIMBDA Virus. I ran the remover from sysmantec it seems to have fixed the problem. I would really like more info on the CMD.exe exploit fix I have the most recent security updates available at windowsupdate.microsoft.com
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

hilltopAuthor Commented:
but was still infected
Do you have any open shares on your system?  i.e. everyone/full control?  It should not be possible to get infected with Nimbda if you are patched current?  Have you run HFNETCHK on it?
hilltopAuthor Commented:
thank you very much
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.