Web Analytics Made Easy -
StatCounter Server Hacked - CodingForum

Announcement

Collapse
No announcement yet.

Server Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server Hacked

    I have a single server where I host my clients that I do development work for. One of my clients set read, write, execute and delete for the entire site. ( SLAP! ) I have since removed this feature!

    Problem is, their site did get hacked under the .net syste_web folder, the last folder I can index is com1, I can not get access after that because of the folder name is not readable by windows.

    1. I have done some searching, and can not find a program to rename / delete this folder.

    2. Anyone have any idea how I can fix this?

    I have removed all permissions to the folder, so it no longer gives access, but can not remove.
    .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

  • #2
    Well, try this site...

    www.linuxiso.org




    Seriously though, can you rename / delete from the command line? Have you tries changing the permissions on that folder to make it readable? What version of Windows are you running (please please PLEASE don't say win98)?

    I have removed all permissions to the folder, so it no longer gives access, but can not remove
    So you set the folder to not be readable and don't know why it's not readable??? I'm not too up to date on windows permissions, but can't you set the readable attribute for just sysadmins or something???
    Last edited by bcarl314; Feb 18, 2004, 08:02 AM.
    Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
    Zend Certified Engineer

    Comment


    • #3
      It is readable, I can use the command line, everyone user has read, execute.. Admin has evertyhing, so permissions are set.
      .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

      Comment


      • #4
        Is it a windows server? ^_^ if so, another IIS box owned in the books...

        http://apache.org

        Comment


        • #5
          The problem was not with the server, but how the user set the server and me allowing them to set that.

          Not to mention, I came here for help, not to get **** slong at me.

          .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

          Comment


          • #6
            Not to mention, I came here for help, not to get **** slong at me.
            These kind of comments certainly don't inspire us to help.

            Good luck.
            Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
            Zend Certified Engineer

            Comment


            • #7
              The basic problem after a system has been hacked is whether you can ever trust that system again. The hacker may have installed additional backdoors and other things.

              Your best bet is to restore to a back prior to the hacking, lacking such a backup you should nuke the whole system and rebuild it clean. Be sure you examine every interactive script on your site to make sure it doesn't include code that'll allow the machine to be hacked again later.
              Check out the Forum Search. It's the short path to getting great results from this forum.

              Comment


              • #8

                Well, try this site...

                www.linuxiso.org
                -------------
                Originally posted by bcarl314

                These kind of comments certainly don't inspire us to help.

                Good luck.
                These kinds of comments don't help at all...



                Roy Sinclair, thank you for your post, the hack was some time ago, I have set all the correct permissions so only system admin has access, the entire site account was deleted and recreated with new IP, admin folder name, admin login and pass.

                I have monitored the site and have had my Colo monitor the site, we did get their IP address, and I have blocked their providers entire IP block out, some place in Japan that after looking at all of my logs, they have been trying to get in for months...

                So, with everything setup the way it is, when I try to rename the hacked folder, it will not allow me too. My colo is even scratching their head, and I know other persons that work for hosting providers and they all are scratching their heads, which is why I came here...

                If I can not find the answer myself, I always come here last...

                again though, thank you for providing an honest answer!
                .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

                Comment


                • #9
                  What is the NAME of the hacked folder?

                  What error do you get when you try to rename it?

                  Have you tried renaming it from a command line?

                  Have you used UNC naming (which bypasses some reserved name problems you'll encounter otherwise)?

                  UNC:

                  ren \\.\<driveletter>:\<pathtodirectory>\<directoryorfiletorename> <newname>

                  Hopefully one of these will help you or the answers will help us understand why there's still a problem. One very real possibility is that there's a file in that hacked directory that's being executed and you won't be able to rename that directory until it's closed.
                  Check out the Forum Search. It's the short path to getting great results from this forum.

                  Comment


                  • #10
                    I can not find the name out, but here is the location.

                    Dir Name Location:
                    wwwroot\aspnet_client\system_web\1_0_3705_288\com1\badDIRhere

                    When deleting though explorer, the error is.

                    Cannot delete com1: The paramater is incorrect.

                    When doing this though the command prompt, I get the following error.

                    The filename, directory name, or volume label syntax is incorrect.

                    I even get the same error when doing del /Q /F com1.

                    Doing UNC I get access is denied when trying to rename it, when trying to delete it, I get

                    Cannot delete file: Cannot read from the source file or disk.

                    Good ideas though.
                    .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

                    Comment


                    • #11
                      It is the reserved name problem. That com1 embedded in there is what's causing you the trouble.

                      From a command prompt try this:

                      Code:
                      ren \\.\d:\wwwroot\aspnet_client\system_web\1_0_3705_288\com1 ok2delete
                      (that's all ONE line, ignore any line breaks inserted by the forum)

                      You may have to change the drive letter since you didn't provide that in your post.
                      Last edited by Roy Sinclair; Feb 20, 2004, 07:20 PM.
                      Check out the Forum Search. It's the short path to getting great results from this forum.

                      Comment


                      • #12
                        Now that is a good idea... but I get an access denied on the following

                        ren c:\severalsubfolderlistings\wwwroot\aspnet_client\system_web\1_0_3705_288\com1 ok2delete

                        doing the following says The syntax of the command is incorrect.

                        ren \\. \c:\severalsubfolderlistings\wwwroot\aspnet_client\system_web\1_0_3705_288\com1 ok2delete

                        The big problem I have been having is just trying to find information on this... I have found nothing in that manner, maybe a site or something.... ACK! heh
                        .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

                        Comment


                        • #13
                          OK Jon...

                          Whenever something strange like this crops up, I immediately turn to Google. One of the threads I read, referred to the NIMDA virus....ya may want to do a complete AV scan of your system.

                          Some Nimda Info

                          Here's what google groups turned up:

                          The Big One


                          link-o-rama time:

                          http://support.microsoft.com/default...b;en-us;120716

                          http://support.microsoft.com/default...b;en-us;320081


                          A microsoft newsgroups search result


                          I seriously hope one of the above helps you out.

                          my searches usually involved "IIS com1 delete" and things of that nature...
                          Last edited by Celtboy; Feb 20, 2004, 11:08 PM.

                          Comment


                          • #14
                            Thanks for the Keywords Heads Up!

                            After this attack, I did go out and purchase Symantec AV Corp Edition 8.1 and it runs real times scan on everything, it has been catching all incoming and out going email and uploaded files for some time now. myDoom turned over 8,000 infected mail messages on my server for all of my customers in one week, and none of my customers got the virus! Not to bad considering I'm only hosting about 25 sites at this time.

                            As for the link-O-Rama time, WOW, thanks, this has been exactly what I have been looking for! TY so much!
                            .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

                            Comment


                            • #15
                              LMAO, first command I tried after reading the page, it work! Here is the copied example below from the first link to Microsofts Site.

                              For example:
                              RmDir \\.\C:\YourFTP_ROOT's_PATH\COM1 /s /q

                              /s-This switch removes all directories and files in the specified directory and also the directory itself. This switch also removes a directory tree.

                              /q-This switch stands for Quiet mode. Do not ask if you can remove a directory tree that contains the /s switch.

                              THANK YOU SO MUCH!!!
                              .::: livemotioncentral | phoenixnow | techiewidows | jonsresume :::.

                              Comment

                              Working...
                              X