Server Hacked!!! Someone placing unnamed media files on our server

[DettCom]

Hello All,

Recently I went on our email server and I found a ton of .rar files in
unnamed folders on our wwwroot directory. I can't seem to delete these
files and they look like they're getting bigger. Can someone tell me
the best way to delete these folders and how they suspect someone got
in????

Thanks

 

[David H. Lipman]

You have a server and you don't have a FireWall nor anti virus software ?

What do you expect !

In addition:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
swen Internet worm [aka; W32/Gibe-F] to visit you.

The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups and well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.

Dave



| Hello All,
|
| Recently I went on our email server and I found a ton of .rar files in
| unnamed folders on our wwwroot directory. I can't seem to delete these
| files and they look like they're getting bigger. Can someone tell me
| the best way to delete these folders and how they suspect someone got
| in????
|
| Thanks

 

[Bloke at the pennine puddle (Replace n.a.v.d with]

Hello All,

Recently I went on our email server and I found a ton of .rar files in
unnamed folders on our wwwroot directory. I can't seem to delete these
files and they look like they're getting bigger. Can someone tell me
the best way to delete these folders and how they suspect someone got
in????

Thanks

Well, the first thing I would do is take the server off-line. Try
starting the computer in safe mode and then ten erasing the files,
then if you can do this, perform an off-line virus scan and close the
security loop holes.

It would really help everyone in this group if you gave quite a bit
more information of the compromised computer. Like the type of
oprtating system, how it's configured, but make sure you leave out
confidential information like the computer's IP address, usernames and
passwords.

The more information you can provide about the problem and how your
computer is set-up. the better.

 

[Matthew Mucker [MSFT]]

Call Microsoft Support and open a support case. We have a tool that can
rename these undeletable files. You may qualify for no-charge support for
this incident. (I am not familiar with the entitlement process.)

Or, move everything that you want to keep out of the parent folder, and from
the command line run rd /s on the parent folder.

-Matt

 

[George Hester]

First off if someone is able to write to your http server then you have given write permissions to the anonymous account. Big no-no.

Remove those permissions and if you need write permissions then make a Windows 2000 account for that purpose.

The other issue of getting rid of those folders:

I think Matthew told you what you needed to know. If not:

http://support.microsoft.com/default.aspx?scid=kb;en-us;825751

http://support.microsoft.com/default.aspx?scid=kb;en-us;120716

Instead of DEL use RD. To figure out the name of the folder with all the spaces, select the folder right-click chooose rename and hit the left arrow to the beginning. Now count using the right-arrow.

 

[Ben There]

If you have FTP active on the server, stop that service
first.

Next, open a command prompt and you can do the long and
tedious process of retrieving the MSDOS name of the file
by typing DIR /X at the command prompt. Note the MSDOS
name and type RD /S with the MSDOS name of the folder.

This is common when an MP3 / file sharing user finds an
open FTP server. They use special unicode characters to
make the folder name un deletable via Windows Explorer.

I would get yourself a firewall too and some Anti-Virus
software.

Good luck! Hope this helps