I was hacked and now I cannot delet the files.

[Jeremy Brown]

Hello all,
The server of one of my clients was hacked via an open FTP site in IIS (a
Xerox repair guy opened it up to setup a network scanner. I wish I could
locate that guy now, so I could open him up.) I closed up the hole and
reconfigured the scanner, but the files the little dears left behind on the
server will not stand to be deleted. Whenever I try, I get "cannot read from
source file or disk". I have tried to remove them in a dozen different ways
including explorer, a command window and an FTP client, all to no avail.

I cannot take ownership of them and cannot change any settings regarding
them.

These files are taking up five gigs of space on the main hard drive (C:\)
and now a virus has embedded itself in the folders and refuses to go away
(the owner has a thing for graceful and artistic pictures of the natural
feminine form, and likes to download them to his PC. One of the ladies
didn't keep with her shots.) Norton has kept the file from doing any damage,
thankfully.

Any suggestions?

Jeremy

 

[Marina Roos]

The best suggestion would be to reinstall. You'll never figure out for 100%
what the hacker might have left.

 

[Jeff Cochran]

Hello all,
The server of one of my clients was hacked via an open FTP site in IIS...

Answered in another group, don't crosspost.

Jeff

 

[Jeremy Brown]

Jeff,
I crossposted this because not everyone reads the same groups and I wanted
to get as many opinions and solutions as possible in case one did not work
or completely fix the problem, and that is what I got. Your answer in the
microsoft.public.inetserver.iis list did help when Jason Brown's (aka Atrax)
solution removed some but not all of the files, however Marina and the rest
also took their time to offer help and I thank them also.

Jeremy

 

[Alan Wood [MSFT]]

Hi Jeremy,
I would have to agree with Marina.. You will never know what has been
left behind or what has been comprised on the server. If you have a good
backup before you were hacked. I would reinstall, patch the system, then
restore the data.

Thank you,

Alan Wood[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

There is another option, however, it may be a little
tricky but it will work. if you goto http://www.knoppix-
std.org/, download the iso, burn that to a CD, boot off
the CD and into Linux / Knoppix. You will have full
access to any file or files anywhere on the HD.
Permissions or no Permissions, it doesn't matter. The
only thing I can't get to work is accessing a drive when
linux has already set permissions on a certain directory.

Good luck
Scroter

 

[Roland Hall]

There is another option, however, it may be a little
tricky but it will work.

Ya', ok.


My suggestion as well but you could pull your data off. I would isolate the
computer from anthing else until it is rebuilt.
You can clean it and you can take a chance that you got everything but
trojan scanners and antivirus scanners only remove what they know. A
rewritten driver or two that can open ports and allow intruders may not be
known.

My question is, why did the firewall allow FTP access? Did the Xerox guy
modify the config on the firewall too? *raises eyebrow*

--
Roland

This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose.