Charles,
I had the same thing happen recently.
The NT Supplemental CD contains a number of POSIX utility programs.
I can send you a copy if you don't have it handy. You need "rm.exe"
After installing RM.EXE, open a Command prompt and change to your "upload"
folder.
Execute the command rm -rf " .Tagged+RoccoBoard+Team"
Be sure to include the space before the .Tagged and enclose the string in
double quotes.
The "r" option tells it to recurse the subdirectoires and the "f" option
tells it to force a yes answer (otherwise you'll be prompted for each file).
Then turn off write permissions on your ftp site.
Bill
At 12:05 PM 7/5/01, you wrote:
>I just discovered that someone has hacked into our webserver through FTP and
>has been using our server for storage of pornsite stuff among other things.
>Below is the first logfile that appears to be the first attempt. I am not
>sure how they got around security on the Firewall and the Server but there
>are also directories that cannot be deleted and display nofile info. This is
>a NT4 server running IIS 4.0
>
>If anyone has seen this before that can fill me in on who might have done
>this and how I can delete the directory titled NiGHtWaR I would definitely
>appreciate it.
>
>08:24:02 172.16.2.251 [1]USER anonymous 331
>08:24:02 172.16.2.251 [1]PASS [EMAIL PROTECTED] 230
>08:47:11 172.16.2.251 [2]USER anonymous 331
>08:47:11 172.16.2.251 [2]PASS [EMAIL PROTECTED] 230
>08:47:55 172.16.2.251 [2]created Tagged 226
>08:48:26 172.16.2.251 [2]created Tagged 226
>08:50:21 172.16.2.251 [2]ABORT - 226
>08:50:21 172.16.2.251 [2]sent /_vti_pvt/_vti_cnf/Tagged 426
>08:50:44 172.16.2.251 [2]QUIT - 426
>12:49:56 172.16.2.251 [3]USER anonymous 331
>12:49:56 172.16.2.251 [3]PASS [EMAIL PROTECTED] 230
>14:07:42 172.16.2.251 [4]USER anonymous 331
>14:07:42 172.16.2.251 [4]PASS [EMAIL PROTECTED] 230
>14:08:19 172.16.2.251 [4]sent /upload/TAGGED+.txt 550
>14:08:21 172.16.2.251 [4]created TAGGED+.txt 226
>14:23:01 172.16.2.251 [4]QUIT - 257
>14:23:13 172.16.2.251 [5]USER anonymous 331
>14:23:13 172.16.2.251 [5]PASS [EMAIL PROTECTED] 230
>14:25:03 172.16.2.251 [5]sent
>/upload/.Tagged+RoccoBoard+Team/COM1/1/1mb.test 550
>
>Thank You,
>Charles Morin
>Director Information Technology
>New Horizons Computer Learning Centers
>[EMAIL PROTECTED]
>ph:805.496.9690
>fx:805.496.9780
>
>
>
>This email and any files transmitted with it are confidential and are
>intended solely for the use of the individual or entity to whom they are
>addressed. This communication may contain material protected by the
>attorney-client privilege. If you are not the intended recipient or the
>person responsible for delivering the e-mail to the intended recipient, be
>advised that you have received this e-mail in error and that any use,
>dissemination, forwarding, bringing or copying of this email is strictly
>prohibited. If you have received this e-mail in error; please immediately
>notify New Horizons front desk by telephone at 1-805-496-9690. You will be
>reimbursed for reasonable costs incurred in notifying us.
>
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Bill Hardin [EMAIL PROTECTED]
Systems Administrator http://www.uts.com
Universal Technical Systems, Inc. 815.963.2220 x211
202 West State St. Suite 700 815.963.8884 FAX
Rockford, IL 61101
"99% of the failures come from people who have the habit of
making excuses." -- George Washington Carver
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
