• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

Mystery Folders found on our server

We have noticed the sudden mysterious appearance of a folder (and over 200 subfolders) on our server in the root folder of one of our websites.

Our server is running Microsoft Server Standard 2008  and SQL Server 2005.

The name of the folder is "ÿta12311-ÿ" and inside is a series olf subfolders named "1", "2", "3", "4" and inside those... more folders also named "1", "2", "3", "4".

There are a total of 271 folders, all of them empty.

We did not create these folders, and assume the are part of a hack attempt.

Can anyone tell us
A) How they would have accessed our server
B) What they were attempting to do
C) What we should do abou this attempt
D) What we should do now to prevent further attacks like this

Thank you



  • 3
1 Solution
Scott AndersonPrincipal Support EngineerCommented:
Those are some pretty specific questions that can't be answered from the information given, but:

If you were truly hacked, meaning there not another explanation for the appearance of the folders:
A.)  How they would have accessed our server?
  You mentioned that it's a web server and running SQL.  There are ways to compromise a server through Web services and SQL, if they are exposed to the Internet.  How exactly, I can't say from the information you've provided.
B.)  What were they attempting to do?
  Hard to say.  Most hack attempts these days are oriented towards "owning" your box instead of killing it - using it as a tool for other exploits:  platform for DDos attacks, distribution point for trojans, remote control "bots", etc.
If it was a compromise, they were probably just checking to see if they could come in the door and have write access to your system.
C.)  What should we do about this attempt?
  If you believe that it was a hack attempt and are not sure what to do, I'd recommend seeking some professional assistance.  If you have logging in your environment, that would be critical in figuring out what happened (firewall logs, server security logs, etc..).   There's too many things to consider that it shouldn't be handled in a newsgroup like this.   Also, consider taking the server down/off the network  and replace those services on a rebuilt server, change passwords on any accounts that were accessable on that server (esp. if it was in a domain), etc, etc.

D.)  How to prevent in the future?
  Part of defending against a future compromise is to figure out how they got you in the first place, then place safeguards to prevent that in the future.  Are all current patches applied?  Turn up security logging on your firewall and server to monitor network and server access and priviledged access to the system, then review them on a daily basis.  As well, you may want to re-think your strategy for the role of the server and re-design with enhanced security in mind.

Sorry I'm not more specific here, but the devil is in the details with a server compromise...  

Something you could check is the "owner" of the newly created folders.  
Right-click on one of the folders, select Properties, go to the Security tab
Click on the "Advanced" button, then the "Owner" tab  to see who "owns" the folders.  It might give some insight to either the service that created the folders or what account was used to create them.
Good Luck!
electricinkAuthor Commented:
The owner is listed as "Internet Guest Account"

I have just discovered similar folders in two other domain folders... one same day and time (yesterday), another from about 3 weeks ago
Scott AndersonPrincipal Support EngineerCommented:
Based on that info, I'd assume that someone was able to hack your IIS box and gain priviledged access to the local system through the IUSR_<system> account.

I'd consider the box to be compromised and would take steps to remove it from your network and replace it.  
If you want to trace back through the hack, I'd replace the server with alternative hardware and rebuild it, keeping the original server for analysis.  
If you're not interested in deconstructing the hack, then backup and rebuild the box - making sure that all patches are applied and follow best practices for security on the system.
Scott AndersonPrincipal Support EngineerCommented:
If you are doing syslogging on your perimeter firewall, check the creation date/times on the rogue folders.  Then you could review the firewall logs to possibly find the source (IP address range) of the source of the hacker...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now