[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


IIS 5 was hacked!!!!!!!!!!!!!!!!!!!!

Posted on 2002-03-06
Medium Priority
Last Modified: 2012-05-04
howdy looks like someone or something got into my box

I noticed references to cmd.exe in my log files also my log files are now encrypted and a file was added to my web root and attempts to auto download when the default page is opened. has anyone had this happen if so how can i fix all this

Question by:hilltop
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 32

Expert Comment

ID: 6844456
Since you don't know for sure what happened and perhaps cannot recover your encrypted logs, I'd suggest drastic action.

1) Immediately remove this system from all networks by physically unplugging its cable.  Prevent further damage to this system and possible attacks on other systems.

2) Check all other systems on your network for any sign of tampering.  Remove them from the network also if they appear to be compromised in any way.

3) I'd make an image of the hard drive(s) to a CD-R or tape and then FORMAT the hard drive(s) and do a clean install of NT.  If you can't image the drives, just remove them and install new drives.  This time, be sure you get the long-ago released security patches that stop the CMD.EXE exploit.

4) Carefully recover any data from your backup images.  Never pull any EXE, COM, BAT, DLL, ASP, or other potentially compromised file from your backup.  Basically anything that has executable content is a danger!!

Good luck.  There are no shortcuts here.  But if you try to take any you'll never be sure you are safe.

Author Comment

ID: 6844736
It appears upon a bit of research this was the W32/NIMBDA Virus. I ran the remover from sysmantec it seems to have fixed the problem. I would really like more info on the CMD.exe exploit fix I have the most recent security updates available at windowsupdate.microsoft.com

Author Comment

ID: 6844737
but was still infected
On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

LVL 11

Expert Comment

ID: 6845025
Do you have any open shares on your system?  i.e. everyone/full control?  It should not be possible to get infected with Nimbda if you are patched current?  Have you run HFNETCHK on it?
LVL 32

Accepted Solution

jhance earned 160 total points
ID: 6845027
There are a number of exploits on this and they all are related to cross-directory traversal using unicode or bogus characters in the URL.  These exploits are well known and I'm surprised your system lasted this long.  NIMDA has been around since Sept 2001 and has infected 1000s and 1000s of servers.  I see it's activity constantly in my server logs.

Microsoft has a rollup security patch for IIS5/W2K that you should have installed.


Author Comment

ID: 6845268
thank you very much

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Have you ever run into that annoying problem where the computer won't boot?  Wouldn't it be great if you had a tool that would make that disk boot again?  I have found one tool that works more often than not ...
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question