Solved

Mystery Folders found on our server

Posted on 2008-10-03
4
239 Views
Last Modified: 2013-12-04
We have noticed the sudden mysterious appearance of a folder (and over 200 subfolders) on our server in the root folder of one of our websites.

Our server is running Microsoft Server Standard 2008  and SQL Server 2005.

The name of the folder is "ÿta12311-ÿ" and inside is a series olf subfolders named "1", "2", "3", "4" and inside those... more folders also named "1", "2", "3", "4".

There are a total of 271 folders, all of them empty.

We did not create these folders, and assume the are part of a hack attempt.

Can anyone tell us
 
A) How they would have accessed our server
B) What they were attempting to do
C) What we should do abou this attempt
D) What we should do now to prevent further attacks like this

Thank you

Kirk


 



0
Comment
Question by:electricink
  • 3
4 Comments
 
LVL 13

Accepted Solution

by:
ScooterAnderson earned 500 total points
ID: 22634772
Those are some pretty specific questions that can't be answered from the information given, but:

If you were truly hacked, meaning there not another explanation for the appearance of the folders:
A.)  How they would have accessed our server?
  You mentioned that it's a web server and running SQL.  There are ways to compromise a server through Web services and SQL, if they are exposed to the Internet.  How exactly, I can't say from the information you've provided.
B.)  What were they attempting to do?
  Hard to say.  Most hack attempts these days are oriented towards "owning" your box instead of killing it - using it as a tool for other exploits:  platform for DDos attacks, distribution point for trojans, remote control "bots", etc.
If it was a compromise, they were probably just checking to see if they could come in the door and have write access to your system.
C.)  What should we do about this attempt?
  If you believe that it was a hack attempt and are not sure what to do, I'd recommend seeking some professional assistance.  If you have logging in your environment, that would be critical in figuring out what happened (firewall logs, server security logs, etc..).   There's too many things to consider that it shouldn't be handled in a newsgroup like this.   Also, consider taking the server down/off the network  and replace those services on a rebuilt server, change passwords on any accounts that were accessable on that server (esp. if it was in a domain), etc, etc.

D.)  How to prevent in the future?
  Part of defending against a future compromise is to figure out how they got you in the first place, then place safeguards to prevent that in the future.  Are all current patches applied?  Turn up security logging on your firewall and server to monitor network and server access and priviledged access to the system, then review them on a daily basis.  As well, you may want to re-think your strategy for the role of the server and re-design with enhanced security in mind.

Sorry I'm not more specific here, but the devil is in the details with a server compromise...  

Something you could check is the "owner" of the newly created folders.  
Right-click on one of the folders, select Properties, go to the Security tab
Click on the "Advanced" button, then the "Owner" tab  to see who "owns" the folders.  It might give some insight to either the service that created the folders or what account was used to create them.
Good Luck!
0
 

Author Comment

by:electricink
ID: 22635324
The owner is listed as "Internet Guest Account"

I have just discovered similar folders in two other domain folders... one same day and time (yesterday), another from about 3 weeks ago
0
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 22635473
Based on that info, I'd assume that someone was able to hack your IIS box and gain priviledged access to the local system through the IUSR_<system> account.

I'd consider the box to be compromised and would take steps to remove it from your network and replace it.  
If you want to trace back through the hack, I'd replace the server with alternative hardware and rebuild it, keeping the original server for analysis.  
If you're not interested in deconstructing the hack, then backup and rebuild the box - making sure that all patches are applied and follow best practices for security on the system.
0
 
LVL 13

Expert Comment

by:ScooterAnderson
ID: 22635514
If you are doing syslogging on your perimeter firewall, check the creation date/times on the rogue folders.  Then you could review the firewall logs to possibly find the source (IP address range) of the source of the hacker...
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now