IIS 5 was hacked!!!!!!!!!!!!!!!!!!!!

Posted on 2002-03-06
Medium Priority
Last Modified: 2012-05-04
howdy looks like someone or something got into my box

I noticed references to cmd.exe in my log files also my log files are now encrypted and a file was added to my web root and attempts to auto download when the default page is opened. has anyone had this happen if so how can i fix all this

Question by:hilltop
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 32

Expert Comment

ID: 6844456
Since you don't know for sure what happened and perhaps cannot recover your encrypted logs, I'd suggest drastic action.

1) Immediately remove this system from all networks by physically unplugging its cable.  Prevent further damage to this system and possible attacks on other systems.

2) Check all other systems on your network for any sign of tampering.  Remove them from the network also if they appear to be compromised in any way.

3) I'd make an image of the hard drive(s) to a CD-R or tape and then FORMAT the hard drive(s) and do a clean install of NT.  If you can't image the drives, just remove them and install new drives.  This time, be sure you get the long-ago released security patches that stop the CMD.EXE exploit.

4) Carefully recover any data from your backup images.  Never pull any EXE, COM, BAT, DLL, ASP, or other potentially compromised file from your backup.  Basically anything that has executable content is a danger!!

Good luck.  There are no shortcuts here.  But if you try to take any you'll never be sure you are safe.

Author Comment

ID: 6844736
It appears upon a bit of research this was the W32/NIMBDA Virus. I ran the remover from sysmantec it seems to have fixed the problem. I would really like more info on the CMD.exe exploit fix I have the most recent security updates available at windowsupdate.microsoft.com

Author Comment

ID: 6844737
but was still infected
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 11

Expert Comment

ID: 6845025
Do you have any open shares on your system?  i.e. everyone/full control?  It should not be possible to get infected with Nimbda if you are patched current?  Have you run HFNETCHK on it?
LVL 32

Accepted Solution

jhance earned 160 total points
ID: 6845027
There are a number of exploits on this and they all are related to cross-directory traversal using unicode or bogus characters in the URL.  These exploits are well known and I'm surprised your system lasted this long.  NIMDA has been around since Sept 2001 and has infected 1000s and 1000s of servers.  I see it's activity constantly in my server logs.

Microsoft has a rollup security patch for IIS5/W2K that you should have installed.


Author Comment

ID: 6845268
thank you very much

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question