Mystery Directories

[Guest]

I think my server has been hacked. I found two directories burried in the
system which seem to have no lable (name). When I open the directories I see
what looks like binary characters. Eventually when I reach the bottom I do
see discernable names like "the dude" and "the dudu." I ran McAfee (7.1 scan
engine) and it didn't detect any virus, though while scanning I noticed and
vew .avi files.

I've logged in as Adimistrator and tried to delete these directories, but
couldn't.

Any ideas are greatly appreciated

Cheers,

Mac

 

[Roger Abell [MVP]]

I think my server has been hacked. I found two directories burried in the
system which seem to have no lable (name). When I open the directories I
see
what looks like binary characters. Eventually when I reach the bottom I
do
see discernable names like "the dude" and "the dudu." I ran McAfee (7.1
scan
engine) and it didn't detect any virus, though while scanning I noticed
and
vew .avi files.

I've logged in as Adimistrator and tried to delete these directories, but
couldn't.

Any ideas are greatly appreciated

Cheers,

Mac

It appears you have been assimilated.
The standard response is that a rebuild from fresh format up
is in order if you want to regain control of your system with
absolute certainty.
You can attempt a cleaning, but just removing the storage that
is now being used is not the main part of that effort. Finding
how the system was penetrated, and what was installed is.
To attempt that one usually will spend more time than one does
with a fresh format/install, and even after having done that, one
really cannot be certain that all has been cleaned without offline
analysis of the system and comparison to a clean reference system.
Again, it is quicker to rebuild.
Roger

 

[Guest]

Roger,

Thanks you for the response. I was hoping not hear this news, however, I
think you are right. Assimilation hurts.

Cheers,

Mac

 

[karl levinson, mvp]

I think my server has been hacked. I found two directories burried in the
system which seem to have no lable (name). When I open the directories I
see
what looks like binary characters. Eventually when I reach the bottom I
do
see discernable names like "the dude" and "the dudu." I ran McAfee (7.1
scan
engine) and it didn't detect any virus, though while scanning I noticed
and
vew .avi files.

This is probably what is called pubstro or ftp tagging. More information
here:

http://securityadmin.info/faq.asp?ftpfolder

If the system was installed with an FTP server running, such as IIS FTP, and
these files were in the system's FTP folder share, then this might not be a
hack worthy of a format and a reinstall. But if the folder was located
elsewhere on the system, or if an FTP service such as Serv-U FTP was
installed by an intruder, then that indicates that the attacker was able to
remotely execute code on your system.

Note that with ftp tagging, the attackers very rarely look at or care what
is on your system, the goal is just to scan as many systems as quickly as
possible via an automated scanning tool. However, it also probably
indicates that your system had a pretty significant and well known security
vulnerability such as a missing critical patch or an insecure configuration
that another attacker might or might not have also exploited.

If you do format and reinstall, make sure it is done using a good secure
process, including installing all security patches and choosing secure
configuration settings, or you will be compromised again.