Hacking Problem

I think a hacker is playing with my server. But he is very nice just making or copying some music and video files to my HDD.

He created two folders called "tag" and "tagged". I can see a lot of files with 1MB,2MB, 200KB names in the root directory.

Some folders are with strange names like...

tagged\by Xavious\scanned by jimmy\com1\
.taGGed\bY penguin\com1\superlabber\.....

Any ideas or thoughts??? or How can I get the ip address of this hacker?
Who is Participating?
HousenetConnect With a Mentor Commented:
rajans here's whets going on... Someone is testing your server for its viability as a "warez file drop zone".
Here's the procedure.
1.Run a scanner on a large group of ip's checking for such things as; anonymous ftp with write permissions; remote upload & command execution vulnerabilities.
2.-They send files that equal exactly 1MB, 2MB, 5MB to measure the subsequent average download average.
3. Create folder structures using reserve names like ". temp " , COM1 to make deleting the folders more difficult.
4.Upload the latest applications & game the typical warez seeker would desire to the server.
5. Spread knowledge of the existence of all the illegal software available for download from your server.
-They do this by coding their web sites with links to the files, or spreading the news to the warez communities on irc channels and other chat groups.

-Here's how you fight back.. Answering each step.
1. Purchase a Nat firewall. Set your addresses to not respond to icmp traffic & if possible purchase a firewall-router that can detect scans & attacks.
2. Do not allow anonymous access with write permissions. Scan your server from outside your network for the existence of known vulnerabilities. Apply the numerous patches required for security enhancement.
3. Use the rm.exe to remove the reserve name folders. You can download this from microsoft, & it is also in the i386\posix folder on the nt4 resource kit CD.

4. & 5. IIS's default settings do log access. You should be able to obtain some ip information about the source of these connections by looking in the iislogs folder..
-You could enable auditing on the folders they created & enable more extensive logging in IIS for a short period if you wish to obtain more sold evidence to wage complaints about users with ISP's or prosecute.
> How can I get the ip address of this hacker?
You might not, he/they are mostly cloaked. On unix use tcpdump. You can try having your ISP take note to block them off.

> He created

sexist pig ! (but it is rather appropriate stereotype, huh)

> names in the root directory.

Very bad!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Unplug now and stay off net. Read no more

> I think a hacker is

You have minimum three, more likely 23

> But he is very nice just making or copying some music and video files to my HDD.

Good. Not yet one with bad behavior. Some don't like losing your generosity, and will blacklist you if you don't
(they change habit to do unnice things, providing you deletions and downtime for not cooperating)

You have put up your server online before upgrading it, patching it, and securing it properly. I am not sure this can be properly called server, leastwise not yours (anymore)

Most likely you run an MS OS, and opened up FTP capabilities for anyone who might want to say "ILuvYou".

Most likely you now have some files and directories you won't figure out how to delete... by yourself.

Most likely... THEY think THEY own you, and are doing some advertising for you. Should get you more attention and hits. This usually leads to access to less nice peole, who don't realize that when they use up all your HD and you go down, that they too lose benefit of free access to your HD. They'll of course blame you for their error (assuming unlimited space) Happened to Morris, that long ago.

Best thing for HD is go offline and completely rebuild. I'm sorry, but their are some baddies still out there, I recommend you do what you can to get a different IP address when you come back online.

If you feel like being friendly, consider posting a note for ftp-ers, that they should be aware of the recent roundup feds made of 200, and that they are preparing to round up another batch of people performing such acts. A 24-hour warning that you are shutting down accordingly. Might buy you some graces if you still have holes when you get back online. If you are really P-O'd and have the time... of course, call in the feds now, leave server up so they can gather the additional evidence to use for their next roundup.
If you ask them kindly, then ask them to begin removing items, you do not mind them staying in certain area (of hd), but line must be drawn.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

> of this hacker?

original hacker gone, at least for awhile. What you have now is mainly the ones using you for copy processes, as an extra disk drive, as a way station to maintain copies and backups for others, and for distributions.
This can lead to address hijacking, another blot on your good name, but more likely they'll stick to files while half your disk remains empty.
rajansAuthor Commented:
thanks SunBow.. But do u know anything about 1MB 1MB 200KB files? or How did they controlled or attacked the PC
rajansAuthor Commented:
Housenet, thanks for the valuable information.
rajansAuthor Commented:
I got some interesting logs.. Check this out..

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-02-17 13:45:18
#Fields: time c-ip cs-method cs-uri-stem sc-status
13:45:18 [1]USER anonymous 331
13:45:54 [1]PASS anonymous@on.the.net 230
13:46:53 [1]sent /1mb 550
13:46:59 [1]created 1mb 426
13:47:29 [2]USER anonymous 331
13:47:29 [2]PASS anonymous@on.the.net 230
13:47:39 [2]sent /1mb 226
13:48:32 [2]created 1mb 226
13:48:56 [2]MKD /+.taGGed 257
13:49:19 [2]MKD /+.taGGed/+bY+penguin 257
13:49:31 [2]MKD /+.taGGed/+bY+penguin/com1+/+ 257
13:49:46 [2]MKD /+.taGGed/+bY+penguin/com1+/superlabber 257
13:50:09 [2]MKD /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~ 257
13:50:38 [2]MKD oO+Moviez+Oo 257
13:51:06 [2]MKD /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP 257
13:51:12 [2]MKD /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/@bANDITOS-STUFF@ 257
13:51:19 [2]MKD /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1 257
13:51:21 [2]sent /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1/acp-rh21.sfv 550
13:51:24 [2]created acp-rh21.sfv 226
13:51:29 [2]MKD /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1/@bANDUITOS-STUFF@ 257
13:51:35 [2]sent /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1/acp-rh21.r00 550
14:00:50 [2]created acp-rh21.r00 226
14:06:11 [2]sent /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1/acp-rh21.r00 226
14:07:08 [2]created acp-rh21.r00 226
14:07:08 [2]sent /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1/acp-rh21.r01 550
14:17:05 [2]created acp-rh21.r01 226
14:17:05 [2]sent /+.taGGed/+bY+penguin/com1+/superlabber/~~+FOR+SCENEBOARD+~~/oO+Moviez+Oo/Rush.Hour.2.Line.Dubbed.German.SVCD-ACP/CD1/acp-rh21.r02 550
14:20:22 [2]created acp-rh21.r02 226
14:20:29 [2]sent

But i cannot trace any of his ip address. Any idea?
rajansAuthor Commented:
anyone can help me to trace those ip address ?
rajansAuthor Commented:
anyone can help me to trace those ip address ?
I looked up the ip addresses on Netcraft. is Electronic Systems Inc. running ssws 1.1 on an NT4/windows 98 platform is OBERON running IIS4.0 on NT4/windows98 platform

Knowing that is not going to help you, because those address were hijacked, or used for routing.  Or it may just be the address the hackers were using at the time.  It is very unlikely that you will find the bad guys at those addresses.

rajansAuthor Commented:
you are right. But i was trying all the possible methods..But how can they use any ip address for routing if they dont have permission on that network? Is it something related to spoffing?
They take control of anything that is not secured just like they are using you hard drive.  notice that both of those server are running Microsoft operating system which means anything not specifically secured is wide open.

rajansAuthor Commented:
Cobol, what is ssws 1.1 ???
Simple, Secure Web Server.

rajansAuthor Commented:
More logs...

11:07:33 [6]USER anonymous 331
11:07:33 [6]PASS anonymous@on.the.net 230
11:07:33 [6]sent /tagged/by+Xavious/scanned+by+jimmy/com1/©/Dont.Say.A.Word.DVDRip.DivX-DiAMOND 550
11:07:39 [6]QUIT - 226
13:31:25 [7]USER anonymous 331
13:31:25 [7]PASS anonymous@on.the.net 230
13:31:25 [7]sent /tagged/by+Xavious/scanned+by+jimmy/com1/©/Dont.Say.A.Word.DVDRip.DivX-DiAMOND 550
13:31:53 [7]QUIT - 226

What does anonymous@on.the net mean?
Hello rajans,
-Anonymous on the net is an internet privacy application that pipes all your traffic through their server's. The server strips our all personal information about you while you use the internet.. A simple way to obscure your identity while using the internet.

-Your logs clearly show you allow anonymous users to create folders & upload files, therefore the person who did this technically has not done anything wrong. They are only guilty of unethical behavior which would result in a warning at best.
-Check the web access logs for evidence of port 80 violations like executing commands on your server like this..
2002-03-08 21:52:50 - 80 GET /scripts/root.exe /c+dir 404 -
2002-03-08 21:52:50 - 80 GET /MSADC/root.exe /c+dir 404 -
2002-03-08 21:52:50 - 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2002-03-08 21:52:51 - 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2002-03-08 21:52:55 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-03-08 21:52:58 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-03-08 21:52:58 - 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-03-08 21:52:58 - 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir

-If I could exicute commands remotely on your server there is nothing to stop me from copying your sam file to the default www folder & download it. A this point I would have all your saved usernames & passwords.
-If you would like me to do a quick check of your server for such vunerabilities, send me your address to housenet@hotmail.com..
They are using anonymous ftp for transfers.


rajansAuthor Commented:
thanks housenet and CD
rajans, I've noticed your account was created on 08/16/99 & you have never graded a question... Are you going to grade this one ?
rajansAuthor Commented:
Sure I will. I hv asked 4 questions and graded only one..becuase i didn't get the right answer. I think I am doing right. Am I?
> How can I get the ip address of this hacker?

NT server also has (free) Network Monitor command. Lets you focus (filter) on certain networking behaviors, for other details.

> But how can they use any ip address for routing if they dont have permission on that network? Is it something related to spoffing?

I think you have enough on that now, for admin purposes. You have to manage your server, or others will. This is not a training area, tho' they may have enough of their own proggies (shared) by now.

In addition to managing ftp & file permissions, you do must upgrade your operating system, for your current output shows a number of internationally known vulnerabilities. (How many copies of explorer and root do you really need, after all?)

>  A simple way to obscure your identity while using the internet.

Wanna-be's take note, While obscured to recipients, such as rajans, it is not so obscure either at or prior to the provider. While one may never know that, for example, a handful of anonymous providers are actually run by federales, the internet is public, after all, and the contents of identities do remain available. (you can run, but you cannot hide)

> running IIS4.0 on NT4

Interestingly, prior versions of IIS had not that vulnerability. Upgrade IIS at risk of being required to increase frequency of essential upgrades.

> anyone can help me to trace those ip address ?

What good would that do you individually? If you desire to repeat that question, the proper course is to do that to your service provider. Other people in your neighborhood are likely experiencing the same thing, whether they know it or not, maybe friends of yours, and a better way to have collective voice is through ISP or your service provider.

> The server strips our all personal information about you

Which may be recorded, possibly for trading purposes when the MIB come knocking

> I can see a lot of files ..in the root directory.

Not a good thing to add to root. Stop that.

> to do a quick check of your server for such vunerabilities

Many web sites will do some of that as well, including traditional A/V like Symantec and Intellectuosos like gibson (grc)

> you allow anonymous users

Maybe that is what you desire, becoming a host, and compiling collections. You are then getting your wish come true

> or How did they controlled or attacked the PC

You have not upgraded. There have been many attacks over the past year, who knows any more how many infestations you have sustained, or what was done consequential.

What you learned is that lately there are 'some' who, in club fashion, are sharing that your site is 'available' to suit their purposes

> Create folder structures using reserve

I do still wonder on that tool. Most that I've seen commonly available do some pre-edits, disallowing. Assuming it is older wares

> to measure the subsequent average download average

hmm, intersting thought, cointelpro preemption, drop off to look like running a 300 baud modem... let them pass that info around about how your speed s@cks
I remain more liberal, or wanting to be..

> They are only guilty of unethical behavior which would result in a warning at best.

For the way I phrased it above, if you are a provider of anonymous access, and that is what they use, then there is no question. But also above I mentioned over 200 recent arrests for this kind of activity. The feds have lists of thousands, but processing time, paperwork, court costs, they just rounded up the top abusers at the time. What could they have done that is worse?

> Rush.Hour.2.Line.Dubbed.German

If, for example, they have been moving copyrighted material around, say movies, for international trading (profit?) then there are a few laws that will get cited. I dunno but a case could be made for dumping on you the names that are hard to delete. I think they could allege a form of denial of service, your capability to manage your own disk is diminished.

But I haven't kept up on news since arrests, like what charges are, and whether that varies much based on their location. Has anyone here heard?

First thing usually happens is there's a knock on the door where they live, a paper is shown, and strangers rummage about the house confiscating anything that looks like computer equipment or notes, especially financial. Where sound and film have role, the VCR, CD, tape, and dvd may also get carted away. A local reporter will likely help contribute to myth that a teenage boy was involved, and his mom is upset that all her carefully prepared tax records have now gone missing. Such fun it can be for some, huh.

As you are now a host site, beware, it can happen to you. Especially in an election year (go figure)

Answer: get the service packs and patches. Take offline. Rebuild with upgrades. Add security for filesystem. Try to get an alternate address and name that is not already broadcast to so many others. That attention you don't need. Once secured, then consider plugging in to network.

Consider, you don't really have to be an ftp host site, do you?
> Sure I will. I hv asked 4 questions and graded only one..becuase i didn't get the right answer. I think I am doing right. Am I?

Something to beware of, a few EE moderators are now grading for you, deciding who wins. Or they let you decide and change grade on you. IMO slightly less friendly than before.

I think EE is a database of answers. (gullible). So any question/thread that has content that could have value to someone should be PAQd. Some people are so happy they award multiple answers to same question. Sometimes an answer is perfect. An 'A'. Sometimes no answer is perfect, so alternative grades area available, as a rating. Sometimes answer is better than 'A' so points for question are increased. This can be used when people search for prior information on the subject, for they have to spend points before they get to see the answer, and the grade can help them to prejudge the possibility of a fitting answer if the (reduced) points are spent on the PAQ.

> I hv asked 4 questions and graded only one..becuase i didn't get the right answer.

Maybe you want too much perfection.  Too hard to please. But I dunno. If I saw other questions I forgot already. Maybe there was no good answer possible. Or no responses.

> I think I am doing right. Am I?

But most people can grade more than one a year. You might want to surf EE for other threads, search the database, to compare how others grade.

> Sure I will.

Then you should. And not wait for some anonymous moderator at experts-exchange.com (a host that cloaks identity of users) to do it for you (and give up your rights)

Hmm, in this thread you have had reasonable contributions from more than one. You do know, that no one here is paid, this is free site, and you (I take it) have not paid (I hear there is an option to pay if you want to)

> thanks housenet and CD

the only way they can get reward is to feel your goodwill, or to receive the token of points.

> , send me your address to

Come to think of it, there are other ways to 'reward' or to be 'vulnerable'. Generally, posting news about your site being 'open', even free advertising, can do; putting up eMail addresses can lead to eSpam and eWorm....

So I gotta ask - seen any of that? Getting any spam? For some reason, I got none to date. Wondering. Try mailto: anonymous@noSpam.com                              ;-)
rajansAuthor Commented:
What are u talking about SunBow?????
rajans I'll admit I dont like the B grade.. but "What are u talking about SunBow?????" makes up for it. I cant say I've ever understood anything SunBow has ever said. It always looks like crazy talk to me...
rajansAuthor Commented:
Sorry about the B grade....I think SunBow is a "consultant" He is talking too much without any base
rajansAuthor Commented:
SunBow,  Just kidding...Take it easy man!!!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.