• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 177
  • Last Modified:

Someone/Something is using our server and I can't stop it! =0(

Over the last few weeks random files have been appearing on my server. They are randomly named (and sometimes no name) and are very deeply nested with folders like com1, lpt1 and such. Below is an example of the dir output with the structure and the creator listed.

 Directory of D:\Shared\

04/19/2005  06:43a      <DIR>          BUILTIN\Administrators .
04/19/2005  06:43a      <DIR>          BUILTIN\Administrators ..
04/19/2005  06:43a      <DIR>          ---                       . %d .com1   2.83
04/19/2005  06:42a      <DIR>          ---                       . %d .con    4.31
04/19/2005  06:42a      <DIR>          ---                       . %d .nul    1.83
04/19/2005  06:43a      <DIR>          ---                      . %d .com3   3.9
04/19/2005  06:42a      <DIR>          ---                     . %d .com2     1.15
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          BUILTIN\Administrators ..
04/19/2005  06:43a      <DIR>          ---                       . %d .aux  1.71
04/19/2005  06:42a      <DIR>          ---                       . %d .lpt2   4.09
04/19/2005  06:43a      <DIR>          ---                       . %d .prn.hsp.laserjet    2.66
04/19/2005  06:43a      <DIR>          ---                      . %d .aux0   3.13
04/19/2005  06:43a      <DIR>          ---                      . %d .lpt3    2.19
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                    . %d . 2.12
04/19/2005  06:43a      <DIR>          ---                    . %d .aux 1.45
04/19/2005  06:42a      <DIR>          ---                    . %d .aux 1.91
04/19/2005  06:43a      <DIR>          ---                    . %d .com3 1.3
04/19/2005  06:42a      <DIR>          ---                    . %d .nul 2.41
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d . 2.12

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d . 2.12 \ ;[[Scan By Milka]];

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.45

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
04/19/2005  06:43a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.45 \ ;[[Scan By Milka]];

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.91

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .aux 1.91 \ ;[[Scan By Milka]];

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .com3 1.3

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
04/19/2005  06:43a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .com3 1.3 \ ;[[Scan By Milka]];

04/19/2005  06:43a      <DIR>          ---                    .
04/19/2005  06:43a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .nul 2.41

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                     ;[[Scan By Milka]];
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .aux  1.71 \. %d .nul 2.41 \ ;[[Scan By Milka]];

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
               0 File(s)              0 bytes

 Directory of D:\Shared\ \   . %d .com1   2.83 \   . %d .lpt2   4.09

04/19/2005  06:42a      <DIR>          ---                    .
04/19/2005  06:42a      <DIR>          ---                    ..
04/19/2005  06:42a      <DIR>          ---                    . %d .aux0 3.17
04/19/2005  06:42a      <DIR>          ---                    . %d .com2 2.06
04/19/2005  06:42a      <DIR>          ---                    . %d .lpt2 2.39
04/19/2005  06:42a      <DIR>          ---                    . %d .nul 2.5
04/19/2005  06:42a      <DIR>          ---                    . %d .prn.hsp.laserjet 2.88
               0 File(s)              0 bytes

OK here is where the stuff hits the fan, now directories like the one below are showing up.

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ?˜ Y úúyú ?ú ?Zy?Z  X\. Tag For ANGEL-BLACK & Sc Screw\.   tag Bill Gates - scan j.w. Bush\.  up by\The Bo$$

04/20/2005  06:59a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/20/2005  06:59a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/18/2005  06:07a          15,000,000 ---                    Le Vol du Phoenix.part01.exe
04/18/2005  05:57a               5,262 ---                    Le Vol du Phoenix.part01.SFV
04/18/2005  06:18a          15,000,000 ---                    Le Vol du Phoenix.part02.rar
04/18/2005  06:28a          15,000,000 ---                    Le Vol du Phoenix.part03.rar
04/18/2005  06:39a          15,000,000 ---                    Le Vol du Phoenix.part04.rar
04/18/2005  06:49a          15,000,000 ---                    Le Vol du Phoenix.part05.rar
04/18/2005  06:59a          15,000,000 ---                    Le Vol du Phoenix.part06.rar
04/18/2005  07:10a          15,000,000 ---                    Le Vol du Phoenix.part07.rar
04/18/2005  07:27a          15,000,000 ---                    Le Vol du Phoenix.part08.rar
04/18/2005  07:43a          15,000,000 ---                    Le Vol du Phoenix.part09.rar
04/18/2005  07:53a          15,000,000 ---                    Le Vol du Phoenix.part10.rar
04/18/2005  08:04a          15,000,000 ---                    Le Vol du Phoenix.part11.rar
04/18/2005  08:14a          15,000,000 ---                    Le Vol du Phoenix.part12.rar
04/18/2005  08:24a          15,000,000 ---                    Le Vol du Phoenix.part13.rar
04/18/2005  08:34a          15,000,000 ---                    Le Vol du Phoenix.part14.rar
04/18/2005  08:44a          15,000,000 ---                    Le Vol du Phoenix.part15.rar
04/18/2005  08:54a          15,000,000 ---                    Le Vol du Phoenix.part16.rar
04/18/2005  09:04a          15,000,000 ---                    Le Vol du Phoenix.part17.rar
04/18/2005  09:15a          15,000,000 ---                    Le Vol du Phoenix.part18.rar
04/18/2005  01:23p          15,000,000 ---                    Le Vol du Phoenix.part19.rar
04/18/2005  01:33p          15,000,000 ---                    Le Vol du Phoenix.part20.rar
04/18/2005  01:43p          15,000,000 ---                    Le Vol du Phoenix.part21.rar
04/19/2005  09:52a          15,000,000 ---                    Le Vol du Phoenix.part22.rar
04/19/2005  10:02a          15,000,000 ---                    Le Vol du Phoenix.part23.rar
04/19/2005  10:12a          15,000,000 ---                    Le Vol du Phoenix.part24.rar
04/19/2005  10:23a          15,000,000 ---                    Le Vol du Phoenix.part25.rar
04/19/2005  12:14p          15,000,000 ---                    Le Vol du Phoenix.part26.rar
04/19/2005  12:25p          15,000,000 ---                    Le Vol du Phoenix.part27.rar
04/19/2005  12:35p          15,000,000 ---                    Le Vol du Phoenix.part28.rar
04/19/2005  12:45p          15,000,000 ---                    Le Vol du Phoenix.part29.rar
04/19/2005  12:56p          15,000,000 ---                    Le Vol du Phoenix.part30.rar
04/19/2005  01:07p          15,000,000 ---                    Le Vol du Phoenix.part31.rar
04/19/2005  01:17p          15,000,000 ---                    Le Vol du Phoenix.part32.rar
04/19/2005  01:27p          15,000,000 ---                    Le Vol du Phoenix.part33.rar
04/19/2005  01:37p          15,000,000 ---                    Le Vol du Phoenix.part34.rar
04/19/2005  01:47p          15,000,000 ---                    Le Vol du Phoenix.part35.rar
04/19/2005  01:57p          15,000,000 ---                    Le Vol du Phoenix.part36.rar
04/19/2005  02:07p          15,000,000 ---                    Le Vol du Phoenix.part37.rar
04/19/2005  02:17p          15,000,000 ---                    Le Vol du Phoenix.part38.rar
04/19/2005  02:33p          15,000,000 ---                    Le Vol du Phoenix.part39.rar
04/19/2005  02:43p          15,000,000 ---                    Le Vol du Phoenix.part40.rar
04/19/2005  02:53p          15,000,000 ---                    Le Vol du Phoenix.part41.rar
04/19/2005  03:04p          15,000,000 ---                    Le Vol du Phoenix.part42.rar
04/19/2005  03:15p          15,000,000 ---                    Le Vol du Phoenix.part43.rar
04/19/2005  03:25p          15,000,000 ---                    Le Vol du Phoenix.part44.rar
04/19/2005  03:35p          15,000,000 ---                    Le Vol du Phoenix.part45.rar
04/19/2005  03:46p          15,000,000 ---                    Le Vol du Phoenix.part46.rar
04/19/2005  04:02p          15,000,000 ---                    Le Vol du Phoenix.part47.rar
04/19/2005  04:21p          15,000,000 ---                    Le Vol du Phoenix.part48.rar
04/20/2005  05:45a          11,587,022 ---                    Le Vol du Phoenix.part49.rar
              50 File(s)    731,592,284 bytes

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ˜ Y˜Yúyú  ZyX

04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC. Tag For ANGEL-BLACK & Sc Screw
               0 File(s)              0 bytes

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ˜ Y˜Yúyú  ZyX\. Tag For ANGEL-BLACK & Sc Screw

04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.   tag Bill Gates - scan j.w. Bush
               0 File(s)              0 bytes

 Directory of D:\Shared\   \  \     \.   ˜˜ y Z?˜Z?˜ú X\.ZZyyyZ ú˜˜ ZúY˜ ú   X\.  ˜ Y˜Yúyú  ZyX\. Tag For ANGEL-BLACK & Sc Screw\.   tag Bill Gates - scan j.w. Bush

04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC..
04/16/2005  04:58a      <DIR>          INTERLOCK\IUSR_INTERLOC.  up by
04/16/2005  04:58a                 156 INTERLOCK\IUSR_INTERLOC.  up by.core
               1 File(s)            156 bytes

So, whatcha all think? is it some hole in IIS? If so now what? Oh and by the way if I try to delete them it tells me the file cannot be read from the disk.

Any help would be much appreciated.
0
durfwood
Asked:
durfwood
  • 6
  • 5
1 Solution
 
harleyjdCommented:
Man, someone is using your server as an illegal FTP file dump.

Check for services running such as ftp that you don't recognise.

Audit your user accounts, particularly looking at anyone with domain admin permission.

use sysinternals tcpview http://www.sysinternals.com/ntw2k/source/tcpview.shtml to check for anything listening on odd ports.

That all said, it looks like the iusr_interloc account is compromised - I assume the domain is interlock and the server is interloc? I don't think it's IIS, I think it's just the IIS account that's been hacked.

Kill the tasks, delete the services, install a hardware firewall or a reliable personal one if there is no option, patch the server then never, ever speak of this again...

I once found a server where they had hidden 6gb of Dragonball Z vids under recycler\.\ \serveftp and renamed the serveftp.exe name so something innocent., but the servicename was still serveftp

finally - open the .rar files. It might be some good porn. :)


0
 
harleyjdCommented:
oh, yeah...

if you can't read/write it could be the funky naming - move the folder containing the actual files to the root folder then delete.

if that can't be done, then maybe taking ownership is the go - its a bit hard to be sure in these cases
0
 
durfwoodAuthor Commented:
That looks like it is the culprit however it will not let me at those files in any way shape or form.

I have tried changing the permissions , taking ownership and also moving the files up the ladder in it's tree and it all still says cannot read file from disk.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
harleyjdCommented:
just a quickie - I found this through google http://www.softwarepatch.com/tips/howto-delete-xp.html

I don't offer any promises, but I am still thinking about other answers...

Did you find servftp or somesuch?

0
 
harleyjdCommented:
just extending a train of thought - can you delete it via cmd prompt. If you can see the generated 8.3 name, then that might help

via windows try shift-delete - this will bypass the recyclebin so that might avoid it trying to access the file while deleting...

0
 
durfwoodAuthor Commented:
The server had the Microsoft ftp product running(so our sales people could access it)
0
 
harleyjdCommented:
ok, how did you go with the deleting options?
0
 
durfwoodAuthor Commented:
I tried the things you suggested and the files and directories still say they cannot read from the disk when I try to alter them in any way.
0
 
durfwoodAuthor Commented:
Using the ideas you gave I found some articles that led me to this "KB article 811176" on Microsofts site and option 3 set me free!!!

Thank you sooooo much for your help.
0
 
harleyjdCommented:
cool, it had to be something silly like that. It reads to me like "here's how to fix a hacked server"

I trust you're all firewalled, patched and protected now?

0
 
durfwoodAuthor Commented:
Yep.  =0)
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now