Of course, Bill, like others that have responded, did not mean youi should
merely clear the pron files from the system, but that the systems requires
at this point that it be wiped and reinstalled from scratch. rm.exe, an
old old unix port is a sweet powerful toy, yet, it will not 'fix' this
hacked system, only a reinstall from scratch, after wiping will work, then
before reattaching to the internet, make sure you apply all fixes and
patches for your OS and the toys you have open to the world on it. Also,
as others have hinted,, you might wish to rethink your stratedgy of
offered services.
Thanks,
Ron DuFresne
On Thu, 5 Jul 2001, Bill Hardin wrote:
> Charles,
>
> I had the same thing happen recently.
>
> The NT Supplemental CD contains a number of POSIX utility programs.
>
> I can send you a copy if you don't have it handy. You need "rm.exe"
>
> After installing RM.EXE, open a Command prompt and change to your "upload"
> folder.
>
> Execute the command rm -rf " .Tagged+RoccoBoard+Team"
> Be sure to include the space before the .Tagged and enclose the string in
> double quotes.
>
> The "r" option tells it to recurse the subdirectoires and the "f" option
> tells it to force a yes answer (otherwise you'll be prompted for each file).
>
> Then turn off write permissions on your ftp site.
>
> Bill
> At 12:05 PM 7/5/01, you wrote:
> >I just discovered that someone has hacked into our webserver through FTP and
> >has been using our server for storage of pornsite stuff among other things.
> >Below is the first logfile that appears to be the first attempt. I am not
> >sure how they got around security on the Firewall and the Server but there
> >are also directories that cannot be deleted and display nofile info. This is
> >a NT4 server running IIS 4.0
> >
> >If anyone has seen this before that can fill me in on who might have done
> >this and how I can delete the directory titled NiGHtWaR I would definitely
> >appreciate it.
> >
> >08:24:02 172.16.2.251 [1]USER anonymous 331
> >08:24:02 172.16.2.251 [1]PASS [EMAIL PROTECTED] 230
> >08:47:11 172.16.2.251 [2]USER anonymous 331
> >08:47:11 172.16.2.251 [2]PASS [EMAIL PROTECTED] 230
> >08:47:55 172.16.2.251 [2]created Tagged 226
> >08:48:26 172.16.2.251 [2]created Tagged 226
> >08:50:21 172.16.2.251 [2]ABORT - 226
> >08:50:21 172.16.2.251 [2]sent /_vti_pvt/_vti_cnf/Tagged 426
> >08:50:44 172.16.2.251 [2]QUIT - 426
> >12:49:56 172.16.2.251 [3]USER anonymous 331
> >12:49:56 172.16.2.251 [3]PASS [EMAIL PROTECTED] 230
> >14:07:42 172.16.2.251 [4]USER anonymous 331
> >14:07:42 172.16.2.251 [4]PASS [EMAIL PROTECTED] 230
> >14:08:19 172.16.2.251 [4]sent /upload/TAGGED+.txt 550
> >14:08:21 172.16.2.251 [4]created TAGGED+.txt 226
> >14:23:01 172.16.2.251 [4]QUIT - 257
> >14:23:13 172.16.2.251 [5]USER anonymous 331
> >14:23:13 172.16.2.251 [5]PASS [EMAIL PROTECTED] 230
> >14:25:03 172.16.2.251 [5]sent
> >/upload/.Tagged+RoccoBoard+Team/COM1/1/1mb.test 550
> >
> >Thank You,
> >Charles Morin
> >Director Information Technology
> >New Horizons Computer Learning Centers
> >[EMAIL PROTECTED]
> >ph:805.496.9690
> >fx:805.496.9780
> >
> >
> >
> >This email and any files transmitted with it are confidential and are
> >intended solely for the use of the individual or entity to whom they are
> >addressed. This communication may contain material protected by the
> >attorney-client privilege. If you are not the intended recipient or the
> >person responsible for delivering the e-mail to the intended recipient, be
> >advised that you have received this e-mail in error and that any use,
> >dissemination, forwarding, bringing or copying of this email is strictly
> >prohibited. If you have received this e-mail in error; please immediately
> >notify New Horizons front desk by telephone at 1-805-496-9690. You will be
> >reimbursed for reasonable costs incurred in notifying us.
> >
> >_______________________________________________
> >Firewalls mailing list
> >[EMAIL PROTECTED]
> >http://lists.gnac.net/mailman/listinfo/firewalls
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Bill Hardin [EMAIL PROTECTED]
> Systems Administrator http://www.uts.com
> Universal Technical Systems, Inc. 815.963.2220 x211
> 202 West State St. Suite 700 815.963.8884 FAX
> Rockford, IL 61101
>
> "99% of the failures come from people who have the habit of
> making excuses." -- George Washington Carver
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
