IIS 5 was hacked!!!!!!!!!!!!!!!!!!!!

Posted on 2002-03-06
Last Modified: 2012-05-04
howdy looks like someone or something got into my box

I noticed references to cmd.exe in my log files also my log files are now encrypted and a file was added to my web root and attempts to auto download when the default page is opened. has anyone had this happen if so how can i fix all this

Question by:hilltop
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 32

Expert Comment

ID: 6844456
Since you don't know for sure what happened and perhaps cannot recover your encrypted logs, I'd suggest drastic action.

1) Immediately remove this system from all networks by physically unplugging its cable.  Prevent further damage to this system and possible attacks on other systems.

2) Check all other systems on your network for any sign of tampering.  Remove them from the network also if they appear to be compromised in any way.

3) I'd make an image of the hard drive(s) to a CD-R or tape and then FORMAT the hard drive(s) and do a clean install of NT.  If you can't image the drives, just remove them and install new drives.  This time, be sure you get the long-ago released security patches that stop the CMD.EXE exploit.

4) Carefully recover any data from your backup images.  Never pull any EXE, COM, BAT, DLL, ASP, or other potentially compromised file from your backup.  Basically anything that has executable content is a danger!!

Good luck.  There are no shortcuts here.  But if you try to take any you'll never be sure you are safe.

Author Comment

ID: 6844736
It appears upon a bit of research this was the W32/NIMBDA Virus. I ran the remover from sysmantec it seems to have fixed the problem. I would really like more info on the CMD.exe exploit fix I have the most recent security updates available at

Author Comment

ID: 6844737
but was still infected
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

LVL 11

Expert Comment

ID: 6845025
Do you have any open shares on your system?  i.e. everyone/full control?  It should not be possible to get infected with Nimbda if you are patched current?  Have you run HFNETCHK on it?
LVL 32

Accepted Solution

jhance earned 40 total points
ID: 6845027
There are a number of exploits on this and they all are related to cross-directory traversal using unicode or bogus characters in the URL.  These exploits are well known and I'm surprised your system lasted this long.  NIMDA has been around since Sept 2001 and has infected 1000s and 1000s of servers.  I see it's activity constantly in my server logs.

Microsoft has a rollup security patch for IIS5/W2K that you should have installed.


Author Comment

ID: 6845268
thank you very much

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question