Mystery Folders found on our server

Posted on 2008-10-03
Medium Priority
Last Modified: 2013-12-04
We have noticed the sudden mysterious appearance of a folder (and over 200 subfolders) on our server in the root folder of one of our websites.

Our server is running Microsoft Server Standard 2008  and SQL Server 2005.

The name of the folder is "ÿta12311-ÿ" and inside is a series olf subfolders named "1", "2", "3", "4" and inside those... more folders also named "1", "2", "3", "4".

There are a total of 271 folders, all of them empty.

We did not create these folders, and assume the are part of a hack attempt.

Can anyone tell us
A) How they would have accessed our server
B) What they were attempting to do
C) What we should do abou this attempt
D) What we should do now to prevent further attacks like this

Thank you



Question by:electricink
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 13

Accepted Solution

ScooterAnderson earned 1500 total points
ID: 22634772
Those are some pretty specific questions that can't be answered from the information given, but:

If you were truly hacked, meaning there not another explanation for the appearance of the folders:
A.)  How they would have accessed our server?
  You mentioned that it's a web server and running SQL.  There are ways to compromise a server through Web services and SQL, if they are exposed to the Internet.  How exactly, I can't say from the information you've provided.
B.)  What were they attempting to do?
  Hard to say.  Most hack attempts these days are oriented towards "owning" your box instead of killing it - using it as a tool for other exploits:  platform for DDos attacks, distribution point for trojans, remote control "bots", etc.
If it was a compromise, they were probably just checking to see if they could come in the door and have write access to your system.
C.)  What should we do about this attempt?
  If you believe that it was a hack attempt and are not sure what to do, I'd recommend seeking some professional assistance.  If you have logging in your environment, that would be critical in figuring out what happened (firewall logs, server security logs, etc..).   There's too many things to consider that it shouldn't be handled in a newsgroup like this.   Also, consider taking the server down/off the network  and replace those services on a rebuilt server, change passwords on any accounts that were accessable on that server (esp. if it was in a domain), etc, etc.

D.)  How to prevent in the future?
  Part of defending against a future compromise is to figure out how they got you in the first place, then place safeguards to prevent that in the future.  Are all current patches applied?  Turn up security logging on your firewall and server to monitor network and server access and priviledged access to the system, then review them on a daily basis.  As well, you may want to re-think your strategy for the role of the server and re-design with enhanced security in mind.

Sorry I'm not more specific here, but the devil is in the details with a server compromise...  

Something you could check is the "owner" of the newly created folders.  
Right-click on one of the folders, select Properties, go to the Security tab
Click on the "Advanced" button, then the "Owner" tab  to see who "owns" the folders.  It might give some insight to either the service that created the folders or what account was used to create them.
Good Luck!

Author Comment

ID: 22635324
The owner is listed as "Internet Guest Account"

I have just discovered similar folders in two other domain folders... one same day and time (yesterday), another from about 3 weeks ago
LVL 13

Expert Comment

ID: 22635473
Based on that info, I'd assume that someone was able to hack your IIS box and gain priviledged access to the local system through the IUSR_<system> account.

I'd consider the box to be compromised and would take steps to remove it from your network and replace it.  
If you want to trace back through the hack, I'd replace the server with alternative hardware and rebuild it, keeping the original server for analysis.  
If you're not interested in deconstructing the hack, then backup and rebuild the box - making sure that all patches are applied and follow best practices for security on the system.
LVL 13

Expert Comment

ID: 22635514
If you are doing syslogging on your perimeter firewall, check the creation date/times on the rogue folders.  Then you could review the firewall logs to possibly find the source (IP address range) of the source of the hacker...

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question