May 16th, 2002, 03:52 PM
I have an IIS server that appears to of been hacked. There are some directories under the root which I cannot delete or manipulate at all even under DOS. I have swept for viruses but it does appear that this is a hackers little present.
Does anyone have any advice about how to tidy it things up. I would be very grateful.
Thanks in advance
May 16th, 2002, 04:35 PM
Re: Real Newbie
Or better fdisk /mbr
Than reinstall the os and this time do an os update
,install a firewall[make a backup]+ anti-virus[fully updated]to be safe burn backup on cd.
i m gone,thx everyone for so much fun and good info.
cheers and good bye
May 16th, 2002, 04:41 PM
Use apache web server. IIS just plain ol' sucks.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
May 16th, 2002, 04:44 PM
Yeah, i mean you read about different IIS exploits every other day in the news, and most of em dont have an official MS update patch, and u still want to use it????
Apache has an update patch EVERY time any exploit is released..... if your gonna use windows u can still use Apache, but i would also suggest getting *nix, cus come on, how secure can Windows really be???
May 16th, 2002, 04:45 PM
once a box has been comprimised you dont know what has been changed you have no other choice but to format.
May 16th, 2002, 05:23 PM
I would have to start by saying three words...apache, apache and apache!
But here's a few things you can do to w/IIS. I'd suggest you do a clean install there and then have the latest security patches running. Then get rid of guest account and rename your Admin to something else. Some people like to keep guest to a minimum as honeypot, but is it worth it? Install your webserver on a NTFS partition w/appropriate permissions. Your webserver should be laying around anything but c:\inetpub\wwwroot. Shut down unnecessary ports and services..yeah, the entire ftp.exe/cmd.exe/telnet.exe/wscript.exe family. Turn off Directory Browsing and RDS. Urgh, you don't want those. IIS Log files are important, don't ignore them, but also turn your security auditing on event viewer. I believe this is done manually.
The list goes on and on, since security is something you implement layer by layer, product by product, things have to be individually analized to fit your needs.
My three cents worth
May 16th, 2002, 05:53 PM
you know what you could also do......just leave the little folders that they deposited alone, as long as they dont *bug* you to much.
May 16th, 2002, 06:20 PM
May 16th, 2002, 06:32 PM
May 16th, 2002, 06:54 PM
His system has been exploited and you suggest that he just leaves everything he has found that was dropped on the box alone, and I quote..."if it doesn't bug you too much"
My only guess here is that you have no clue about security and that you are not (hopefully) working as an admin somewhere protecting somebody's network. My only advice for you at this point is to read....then read some more...and then read a bit more.