Solved

IIS 5 was hacked!!!!!!!!!!!!!!!!!!!!

Posted on 2002-03-06
7
150 Views
Last Modified: 2012-05-04
howdy looks like someone or something got into my box

I noticed references to cmd.exe in my log files also my log files are now encrypted and a file was added to my web root and attempts to auto download when the default page is opened. has anyone had this happen if so how can i fix all this

0
Comment
Question by:hilltop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 6844456
Since you don't know for sure what happened and perhaps cannot recover your encrypted logs, I'd suggest drastic action.

1) Immediately remove this system from all networks by physically unplugging its cable.  Prevent further damage to this system and possible attacks on other systems.

2) Check all other systems on your network for any sign of tampering.  Remove them from the network also if they appear to be compromised in any way.

3) I'd make an image of the hard drive(s) to a CD-R or tape and then FORMAT the hard drive(s) and do a clean install of NT.  If you can't image the drives, just remove them and install new drives.  This time, be sure you get the long-ago released security patches that stop the CMD.EXE exploit.

4) Carefully recover any data from your backup images.  Never pull any EXE, COM, BAT, DLL, ASP, or other potentially compromised file from your backup.  Basically anything that has executable content is a danger!!

Good luck.  There are no shortcuts here.  But if you try to take any you'll never be sure you are safe.
0
 
LVL 2

Author Comment

by:hilltop
ID: 6844736
It appears upon a bit of research this was the W32/NIMBDA Virus. I ran the remover from sysmantec it seems to have fixed the problem. I would really like more info on the CMD.exe exploit fix I have the most recent security updates available at windowsupdate.microsoft.com
0
 
LVL 2

Author Comment

by:hilltop
ID: 6844737
but was still infected
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 11

Expert Comment

by:geoffryn
ID: 6845025
Do you have any open shares on your system?  i.e. everyone/full control?  It should not be possible to get infected with Nimbda if you are patched current?  Have you run HFNETCHK on it?
0
 
LVL 32

Accepted Solution

by:
jhance earned 40 total points
ID: 6845027
There are a number of exploits on this and they all are related to cross-directory traversal using unicode or bogus characters in the URL.  These exploits are well known and I'm surprised your system lasted this long.  NIMDA has been around since Sept 2001 and has infected 1000s and 1000s of servers.  I see it's activity constantly in my server logs.

Microsoft has a rollup security patch for IIS5/W2K that you should have installed.

0
 
LVL 32

Expert Comment

by:jhance
ID: 6845053
0
 
LVL 2

Author Comment

by:hilltop
ID: 6845268
thank you very much
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question