Thanks: Hacked server - files deleted

J

Joko

Thanks for all. I could delete those directory. Got the
file from Resource kit, and reboot the server in Safe mode
and run the posix command...

All good now.

Thanks again... Have a great weekend.
 
K

Karl Levinson [x y] mvp

Wait a minute. I sure hope you found the hole that let those files in and
closed that hole, or else your computer will be hacked again. I'm guessing
you were hacked through a very commonly known and old vulnerability. It
could be that there is also other bad stuff on your computer. See here:

http://securityadmin.info/faq.htm#ftpfolder
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#harden

Briefly, if IIS FTP services were running on your computer, either disable
it or make sure the anonymous FTP user [the IUSR account by default] does
not have both read and write permission to any folder, especially those in
the FTProot folder and subfolders.

If IIS FTP services were NOT left running by you, then the hackers remotely
ran commands to install an FTP server like Serv-U FTP. This is bad, because
they could have done anything else they want to your computer, like install
hidden back doors allowing re-entry to your computer later. The second link
above would help you find this out, such as the part mentioning Fport from
www.Foundstone.com/knowledge
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top