My companys webserver hacked
Results 1 to 9 of 9

Thread: My companys webserver hacked

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    3

    My companys webserver hacked

    I was wondering if any of you folks have ever ran into this. Someone uploaded about 30 gigs worth of stuff. And im not going to delete it untill I find out what it is o.O. But its some directory that I can not open in windows even when I log in as admin. its a very wierd directory name with symbols etc. I run a properties on the _vti_pvt dir it comes up with over 20,000 folders and 30 gigs of stuff. But i cant open any of the subdirectorys. here is all the information I know. One of the directorys says This PUB is under emperor control. here ill just post a screen.



    I tried to access the directory in a command line but it says it does not exist here is a screen of me trying to access it in dos



    I have also made the directory an un hidden directory so I can access it via ftp and have tried to access it through WS_FTP and through a linux box. If anyone could help point me in the correct direction. I would like to know what it is they uploaded before I delete the crap off the server.

    Thanks

    Sinep
    Share on Google+

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    You might want to try a cd CON..1~1 instead of the whole name. It looks like (from the screenshot) that it is an NT system correct? Have you applied all the patches to your server? Do you have any Frontpage extensions running? You server is most likely being used as a FTP server for warez or some other illegal activities.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
    Share on Google+

  3. #3
    Junior Member
    Join Date
    Jan 2004
    Posts
    3
    yea its NT 4.0 all patches installed. I found the security hole in which they got in. The secretary who setup the last page in iis forgot to disable anon login. The webserver host MANY webpages and she simply missed this one. I disabled the anon login and the bandwidth on the server went down from 6 meg per sec to the normal 20k per sec.

    and the cd CON..1~1 did not work. Im sure it was used as warez but now its not even though its still there. Im just interested in seeing what it was they uploaded 30 gigs worth of.
    Share on Google+

  4. #4
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    I dont have an NT system laying around but that ususally works on my 2000 box. What are the security permissions set on the folder? It also might be time to reformat the machine and start over because you never know what they could of installed on the server. (Remote access software, viruses or other great stuff) Do you have antivirus or a trojan cleaner on the computer. (Just to make sure)

    Its probably just 30 gigs of porn so the hacker can share with all his friends..
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
    Share on Google+

  5. #5
    Junior Member
    Join Date
    Aug 2002
    Posts
    7
    ROFLMAO
    Share on Google+

  6. #6
    Junior Member
    Join Date
    Jan 2004
    Posts
    3
    see thats the strange part when I click on the permissions on the strange folder it says The system can not find the file specified. Its there because the properties on the /_vti_pvt folder says 30 gigs. then the properties on the only other sub directory under _vti_pvt shows 0 bytes and only the 9 folders. so the 30 gigs worth of stuff HAS to be in the strange folder. but let me post this screen see the difference in how a normal nt folder shows up in properties as to how this strange one does.

    Share on Google+

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    100
    There is a way to hide folders not from view but from others accessing them. I saw it a while ago, you include the null character (ascii code: 255) which is nothing (not a character, similar to space) and can be implimented but only through msdos, so if you try to access it through windows it knows it cant have null in the name and stuffs up. So it would be worthy looking it up.
    Share on Google+

  8. #8
    Senior Member
    Join Date
    May 2003
    Posts
    407
    If modderfokker is right, then what you want is here . Try this out, and see if it works.



    slick
    \"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
    Share on Google+

  9. #9
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Just some FYI...

    If you're doing all this stuff on the actual drive that has been hacked, STOP!

    If you intend to prosecute the hacker (provided you can uncover his/her identity), you need to work within the legal framework of forensic investigations. Most notably, it is critical for the forensic data to be authenticated as genuine.

    Many of the actions you might take, including rebooting the machine, copying files from the server, and reviewing security logs, can alter the drive data. Also, by demonstrating due diligence, you minimize the risk of a third party taking legal action against you if the hacker is putting copyrighted material on your systems or using the system as a springboard to hack other systems.

    A particularly important legal case, "Gates Rubber Co. vs. Bando Chemical Indus, Ltd," helped define the mandatory legal duty of a forensic investigator with regard to creating a mirror image copy of the hard drive in a manner that maintains chain of evidence and custody. In that case, the investigator's decision to perform logical "file-by-file" copying to preserve the evidence precluded legal use of the data because the copying might have resulted in lost information and the creation of new temporary files on the media.

    A great package to use is Encase (that's what the Feds use). It's pricey, but definately worth the money if you can afford it. They offer a free demo version that has the functionality you need, but it's only available on CD, so you'll have to wait a few days for the CD if you want to use it. You can use Ghost as well, but you'll need to do this from another machine. (You don't want to add to or take away from the original drive).

    I'd advise you to visit the AO Computer Forensics forum. There's a wealth of info on tools, most of which are freeware, that will do an adequate job, as well as some very knowledgeable people (groovicus, MsMittens, magnoon, et. al.)

    They should be of great help.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •