?
Solved

Mystery Folders found on our server

Posted on 2008-10-03
4
Medium Priority
?
253 Views
Last Modified: 2013-12-04
We have noticed the sudden mysterious appearance of a folder (and over 200 subfolders) on our server in the root folder of one of our websites.

Our server is running Microsoft Server Standard 2008  and SQL Server 2005.

The name of the folder is "ÿta12311-ÿ" and inside is a series olf subfolders named "1", "2", "3", "4" and inside those... more folders also named "1", "2", "3", "4".

There are a total of 271 folders, all of them empty.

We did not create these folders, and assume the are part of a hack attempt.

Can anyone tell us
 
A) How they would have accessed our server
B) What they were attempting to do
C) What we should do abou this attempt
D) What we should do now to prevent further attacks like this

Thank you

Kirk


 



0
Comment
Question by:electricink
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 13

Accepted Solution

by:
ScooterAnderson earned 1500 total points
ID: 22634772
Those are some pretty specific questions that can't be answered from the information given, but:

If you were truly hacked, meaning there not another explanation for the appearance of the folders:
A.)  How they would have accessed our server?
  You mentioned that it's a web server and running SQL.  There are ways to compromise a server through Web services and SQL, if they are exposed to the Internet.  How exactly, I can't say from the information you've provided.
B.)  What were they attempting to do?
  Hard to say.  Most hack attempts these days are oriented towards "owning" your box instead of killing it - using it as a tool for other exploits:  platform for DDos attacks, distribution point for trojans, remote control "bots", etc.
If it was a compromise, they were probably just checking to see if they could come in the door and have write access to your system.
C.)  What should we do about this attempt?
  If you believe that it was a hack attempt and are not sure what to do, I'd recommend seeking some professional assistance.  If you have logging in your environment, that would be critical in figuring out what happened (firewall logs, server security logs, etc..).   There's too many things to consider that it shouldn't be handled in a newsgroup like this.   Also, consider taking the server down/off the network  and replace those services on a rebuilt server, change passwords on any accounts that were accessable on that server (esp. if it was in a domain), etc, etc.

D.)  How to prevent in the future?
  Part of defending against a future compromise is to figure out how they got you in the first place, then place safeguards to prevent that in the future.  Are all current patches applied?  Turn up security logging on your firewall and server to monitor network and server access and priviledged access to the system, then review them on a daily basis.  As well, you may want to re-think your strategy for the role of the server and re-design with enhanced security in mind.

Sorry I'm not more specific here, but the devil is in the details with a server compromise...  

Something you could check is the "owner" of the newly created folders.  
Right-click on one of the folders, select Properties, go to the Security tab
Click on the "Advanced" button, then the "Owner" tab  to see who "owns" the folders.  It might give some insight to either the service that created the folders or what account was used to create them.
Good Luck!
0
 

Author Comment

by:electricink
ID: 22635324
The owner is listed as "Internet Guest Account"

I have just discovered similar folders in two other domain folders... one same day and time (yesterday), another from about 3 weeks ago
0
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 22635473
Based on that info, I'd assume that someone was able to hack your IIS box and gain priviledged access to the local system through the IUSR_<system> account.

I'd consider the box to be compromised and would take steps to remove it from your network and replace it.  
If you want to trace back through the hack, I'd replace the server with alternative hardware and rebuild it, keeping the original server for analysis.  
If you're not interested in deconstructing the hack, then backup and rebuild the box - making sure that all patches are applied and follow best practices for security on the system.
0
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 22635514
If you are doing syslogging on your perimeter firewall, check the creation date/times on the rogue folders.  Then you could review the firewall logs to possibly find the source (IP address range) of the source of the hacker...
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question