Mystery Folders found on our server

Posted on 2008-10-03
Medium Priority
Last Modified: 2013-12-04
We have noticed the sudden mysterious appearance of a folder (and over 200 subfolders) on our server in the root folder of one of our websites.

Our server is running Microsoft Server Standard 2008  and SQL Server 2005.

The name of the folder is "ÿta12311-ÿ" and inside is a series olf subfolders named "1", "2", "3", "4" and inside those... more folders also named "1", "2", "3", "4".

There are a total of 271 folders, all of them empty.

We did not create these folders, and assume the are part of a hack attempt.

Can anyone tell us
A) How they would have accessed our server
B) What they were attempting to do
C) What we should do abou this attempt
D) What we should do now to prevent further attacks like this

Thank you



Question by:electricink
  • 3
LVL 13

Accepted Solution

ScooterAnderson earned 1500 total points
ID: 22634772
Those are some pretty specific questions that can't be answered from the information given, but:

If you were truly hacked, meaning there not another explanation for the appearance of the folders:
A.)  How they would have accessed our server?
  You mentioned that it's a web server and running SQL.  There are ways to compromise a server through Web services and SQL, if they are exposed to the Internet.  How exactly, I can't say from the information you've provided.
B.)  What were they attempting to do?
  Hard to say.  Most hack attempts these days are oriented towards "owning" your box instead of killing it - using it as a tool for other exploits:  platform for DDos attacks, distribution point for trojans, remote control "bots", etc.
If it was a compromise, they were probably just checking to see if they could come in the door and have write access to your system.
C.)  What should we do about this attempt?
  If you believe that it was a hack attempt and are not sure what to do, I'd recommend seeking some professional assistance.  If you have logging in your environment, that would be critical in figuring out what happened (firewall logs, server security logs, etc..).   There's too many things to consider that it shouldn't be handled in a newsgroup like this.   Also, consider taking the server down/off the network  and replace those services on a rebuilt server, change passwords on any accounts that were accessable on that server (esp. if it was in a domain), etc, etc.

D.)  How to prevent in the future?
  Part of defending against a future compromise is to figure out how they got you in the first place, then place safeguards to prevent that in the future.  Are all current patches applied?  Turn up security logging on your firewall and server to monitor network and server access and priviledged access to the system, then review them on a daily basis.  As well, you may want to re-think your strategy for the role of the server and re-design with enhanced security in mind.

Sorry I'm not more specific here, but the devil is in the details with a server compromise...  

Something you could check is the "owner" of the newly created folders.  
Right-click on one of the folders, select Properties, go to the Security tab
Click on the "Advanced" button, then the "Owner" tab  to see who "owns" the folders.  It might give some insight to either the service that created the folders or what account was used to create them.
Good Luck!

Author Comment

ID: 22635324
The owner is listed as "Internet Guest Account"

I have just discovered similar folders in two other domain folders... one same day and time (yesterday), another from about 3 weeks ago
LVL 13

Expert Comment

ID: 22635473
Based on that info, I'd assume that someone was able to hack your IIS box and gain priviledged access to the local system through the IUSR_<system> account.

I'd consider the box to be compromised and would take steps to remove it from your network and replace it.  
If you want to trace back through the hack, I'd replace the server with alternative hardware and rebuild it, keeping the original server for analysis.  
If you're not interested in deconstructing the hack, then backup and rebuild the box - making sure that all patches are applied and follow best practices for security on the system.
LVL 13

Expert Comment

ID: 22635514
If you are doing syslogging on your perimeter firewall, check the creation date/times on the rogue folders.  Then you could review the firewall logs to possibly find the source (IP address range) of the source of the hacker...

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question