• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 182
  • Last Modified:

Someone/Something is using our server and I can't stop it! =0(

Over the last few weeks random files have been appearing on my server. They are randomly named (and sometimes no name) and are very deeply nested with folders like com1, lpt1 and such. Below is an example of the dir output with the structure and the creator listed.

 Directory of D:\Shared\

04/19/2005  06:43a      <DIR>          BUILTIN\Administrators .
04/19/2005  06:43a      <DIR>          BUILTIN\Administrators ..
04/19/2005  06:43a      <DIR>          ---                       . %d .com1   2.83
04/19/2005  06:42a      <DIR>          ---                       . %d .con    4.31
04/19/2005  06:42a      <DIR>          ---                       . %d .nul    1.83
04/19/2005  06:43a      <DIR>          ---                      . %d .com3   3.9
04/19/2005  06:42a      <DIR>          ---                     . %d .com2     1.15
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          BUILTIN\Administrators ..
04/19/2005  06:43a      <DIR>          ---                       . %d .aux  1.71
04/19/2005  06:42a      <DIR>          ---                       . %d .lpt2   4.09
04/19/2005  06:43a      <DIR>          ---                       . %d .prn.hsp.laserjet    2.66
04/19/2005  06:43a      <DIR>          ---                      . %d .aux0   3.13
04/19/2005  06:43a      <DIR>          ---                      . %d .lpt3    2.19
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                    . %d . 2.12
04/19/2005  06:43a      <DIR>          ---                    . %d .aux 1.45
04/19/2005  06:42a      <DIR>          ---                    . %d .aux 1.91
04/19/2005  06:43a      <DIR>          ---                    . %d .com3 1.3
04/19/2005  06:42a      <DIR>          ---                    . %d .nul 2.41
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d . 2.12

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d . 2.12 \ ;[[Scan By Milka]];

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.45

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
04/19/2005  06:43a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.45 \ ;[[Scan By Milka]];

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.91

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.91 \ ;[[Scan By Milka]];

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .com3 1.3

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
04/19/2005  06:43a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .com3 1.3 \ ;[[Scan By Milka]];

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .nul 2.41

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .nul 2.41 \ ;[[Scan By Milka]];

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .lpt2   4.09

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                    . %d .aux0 3.17
04/19/2005  06:42a      <DIR>          ---                    . %d .com2 2.06
04/19/2005  06:42a      <DIR>          ---                    . %d .lpt2 2.39
04/19/2005  06:42a      <DIR>          ---                    . %d .nul 2.5
04/19/2005  06:42a      <DIR>          ---                    . %d .prn.hsp.laserjet 2.88
               0 File(s)              0 bytes

OK here is where the stuff hits the fan, now directories like the one below are showing up.

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ?˜ Y úúyú ?ú ?Zy?Z  X\. Tag For ANGEL-BLACK & Sc Screw\.   tag Bill Gates - scan j.w. Bush\.  up by\The Bo$$

04/20/2005  06:59a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/20/2005  06:59a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/18/2005  06:07a          15,000,000 ---                    Le Vol du Phoenix.part01.exe
04/18/2005  05:57a               5,262 ---                    Le Vol du Phoenix.part01.SFV
04/18/2005  06:18a          15,000,000 ---                    Le Vol du Phoenix.part02.rar
04/18/2005  06:28a          15,000,000 ---                    Le Vol du Phoenix.part03.rar
04/18/2005  06:39a          15,000,000 ---                    Le Vol du Phoenix.part04.rar
04/18/2005  06:49a          15,000,000 ---                    Le Vol du Phoenix.part05.rar
04/18/2005  06:59a          15,000,000 ---                    Le Vol du Phoenix.part06.rar
04/18/2005  07:10a          15,000,000 ---                    Le Vol du Phoenix.part07.rar
04/18/2005  07:27a          15,000,000 ---                    Le Vol du Phoenix.part08.rar
04/18/2005  07:43a          15,000,000 ---                    Le Vol du Phoenix.part09.rar
04/18/2005  07:53a          15,000,000 ---                    Le Vol du Phoenix.part10.rar
04/18/2005  08:04a          15,000,000 ---                    Le Vol du Phoenix.part11.rar
04/18/2005  08:14a          15,000,000 ---                    Le Vol du Phoenix.part12.rar
04/18/2005  08:24a          15,000,000 ---                    Le Vol du Phoenix.part13.rar
04/18/2005  08:34a          15,000,000 ---                    Le Vol du Phoenix.part14.rar
04/18/2005  08:44a          15,000,000 ---                    Le Vol du Phoenix.part15.rar
04/18/2005  08:54a          15,000,000 ---                    Le Vol du Phoenix.part16.rar
04/18/2005  09:04a          15,000,000 ---                    Le Vol du Phoenix.part17.rar
04/18/2005  09:15a          15,000,000 ---                    Le Vol du Phoenix.part18.rar
04/18/2005  01:23p          15,000,000 ---                    Le Vol du Phoenix.part19.rar
04/18/2005  01:33p          15,000,000 ---                    Le Vol du Phoenix.part20.rar
04/18/2005  01:43p          15,000,000 ---                    Le Vol du Phoenix.part21.rar
04/19/2005  09:52a          15,000,000 ---                    Le Vol du Phoenix.part22.rar
04/19/2005  10:02a          15,000,000 ---                    Le Vol du Phoenix.part23.rar
04/19/2005  10:12a          15,000,000 ---                    Le Vol du Phoenix.part24.rar
04/19/2005  10:23a          15,000,000 ---                    Le Vol du Phoenix.part25.rar
04/19/2005  12:14p          15,000,000 ---                    Le Vol du Phoenix.part26.rar
04/19/2005  12:25p          15,000,000 ---                    Le Vol du Phoenix.part27.rar
04/19/2005  12:35p          15,000,000 ---                    Le Vol du Phoenix.part28.rar
04/19/2005  12:45p          15,000,000 ---                    Le Vol du Phoenix.part29.rar
04/19/2005  12:56p          15,000,000 ---                    Le Vol du Phoenix.part30.rar
04/19/2005  01:07p          15,000,000 ---                    Le Vol du Phoenix.part31.rar
04/19/2005  01:17p          15,000,000 ---                    Le Vol du Phoenix.part32.rar
04/19/2005  01:27p          15,000,000 ---                    Le Vol du Phoenix.part33.rar
04/19/2005  01:37p          15,000,000 ---                    Le Vol du Phoenix.part34.rar
04/19/2005  01:47p          15,000,000 ---                    Le Vol du Phoenix.part35.rar
04/19/2005  01:57p          15,000,000 ---                    Le Vol du Phoenix.part36.rar
04/19/2005  02:07p          15,000,000 ---                    Le Vol du Phoenix.part37.rar
04/19/2005  02:17p          15,000,000 ---                    Le Vol du Phoenix.part38.rar
04/19/2005  02:33p          15,000,000 ---                    Le Vol du Phoenix.part39.rar
04/19/2005  02:43p          15,000,000 ---                    Le Vol du Phoenix.part40.rar
04/19/2005  02:53p          15,000,000 ---                    Le Vol du Phoenix.part41.rar
04/19/2005  03:04p          15,000,000 ---                    Le Vol du Phoenix.part42.rar
04/19/2005  03:15p          15,000,000 ---                    Le Vol du Phoenix.part43.rar
04/19/2005  03:25p          15,000,000 ---                    Le Vol du Phoenix.part44.rar
04/19/2005  03:35p          15,000,000 ---                    Le Vol du Phoenix.part45.rar
04/19/2005  03:46p          15,000,000 ---                    Le Vol du Phoenix.part46.rar
04/19/2005  04:02p          15,000,000 ---                    Le Vol du Phoenix.part47.rar
04/19/2005  04:21p          15,000,000 ---                    Le Vol du Phoenix.part48.rar
04/20/2005  05:45a          11,587,022 ---                    Le Vol du Phoenix.part49.rar
              50 File(s)    731,592,284 bytes

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ˜ Y˜Yúyú  ZyX

04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC. Tag For ANGEL-BLACK & Sc Screw
               0 File(s)              0 bytes

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ˜ Y˜Yúyú  ZyX\. Tag For ANGEL-BLACK & Sc Screw

04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.   tag Bill Gates - scan j.w. Bush
               0 File(s)              0 bytes

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ˜ Y˜Yúyú  ZyX\. Tag For ANGEL-BLACK & Sc Screw\.   tag Bill Gates - scan j.w. Bush

04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.  up by
04/16/2005  04:58a                 156 INTERLOCK\IUSR_INTERLOC.  up by.core
               1 File(s)            156 bytes

So, whatcha all think? is it some hole in IIS? If so now what? Oh and by the way if I try to delete them it tells me the file cannot be read from the disk.

Any help would be much appreciated.
0
durfwood
Asked:
durfwood
  • 6
  • 5
1 Solution
 
harleyjdCommented:
Man, someone is using your server as an illegal FTP file dump.

Check for services running such as ftp that you don't recognise.

Audit your user accounts, particularly looking at anyone with domain admin permission.

use sysinternals tcpview http://www.sysinternals.com/ntw2k/source/tcpview.shtml to check for anything listening on odd ports.

That all said, it looks like the iusr_interloc account is compromised - I assume the domain is interlock and the server is interloc? I don't think it's IIS, I think it's just the IIS account that's been hacked.

Kill the tasks, delete the services, install a hardware firewall or a reliable personal one if there is no option, patch the server then never, ever speak of this again...

I once found a server where they had hidden 6gb of Dragonball Z vids under recycler\.\ \serveftp and renamed the serveftp.exe name so something innocent., but the servicename was still serveftp

finally - open the .rar files. It might be some good porn. :)


0
 
harleyjdCommented:
oh, yeah...

if you can't read/write it could be the funky naming - move the folder containing the actual files to the root folder then delete.

if that can't be done, then maybe taking ownership is the go - its a bit hard to be sure in these cases
0
 
durfwoodAuthor Commented:
That looks like it is the culprit however it will not let me at those files in any way shape or form.

I have tried changing the permissions , taking ownership and also moving the files up the ladder in it's tree and it all still says cannot read file from disk.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
harleyjdCommented:
just a quickie - I found this through google http://www.softwarepatch.com/tips/howto-delete-xp.html

I don't offer any promises, but I am still thinking about other answers...

Did you find servftp or somesuch?

0
 
harleyjdCommented:
just extending a train of thought - can you delete it via cmd prompt. If you can see the generated 8.3 name, then that might help

via windows try shift-delete - this will bypass the recyclebin so that might avoid it trying to access the file while deleting...

0
 
durfwoodAuthor Commented:
The server had the Microsoft ftp product running(so our sales people could access it)
0
 
harleyjdCommented:
ok, how did you go with the deleting options?
0
 
durfwoodAuthor Commented:
I tried the things you suggested and the files and directories still say they cannot read from the disk when I try to alter them in any way.
0
 
durfwoodAuthor Commented:
Using the ideas you gave I found some articles that led me to this "KB article 811176" on Microsofts site and option 3 set me free!!!

Thank you sooooo much for your help.
0
 
harleyjdCommented:
cool, it had to be something silly like that. It reads to me like "here's how to fix a hacked server"

I trust you're all firewalled, patched and protected now?

0
 
durfwoodAuthor Commented:
Yep.  =0)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now