My companys webserver hacked

**SinepTaf** · January 23rd, 2004, 11:04 PM

I was wondering if any of you folks have ever ran into this. Someone uploaded about 30 gigs worth of stuff. And im not going to delete it untill I find out what it is o.O. But its some directory that I can not open in windows even when I log in as admin. its a very wierd directory name with symbols etc. I run a properties on the _vti_pvt dir it comes up with over 20,000 folders and 30 gigs of stuff. But i cant open any of the subdirectorys. here is all the information I know. One of the directorys says This PUB is under emperor control. here ill just post a screen.

I tried to access the directory in a command line but it says it does not exist here is a screen of me trying to access it in dos

I have also made the directory an un hidden directory so I can access it via ftp and have tried to access it through WS_FTP and through a linux box. If anyone could help point me in the correct direction. I would like to know what it is they uploaded before I delete the crap off the server.

Thanks

Sinep

***CXGJarrod*** · January 23rd, 2004, 11:17 PM

You might want to try a cd CON..1~1 instead of the whole name. It looks like (from the screenshot) that it is an NT system correct? Have you applied all the patches to your server? Do you have any Frontpage extensions running? You server is most likely being used as a FTP server for warez or some other illegal activities.

**SinepTaf** · January 23rd, 2004, 11:22 PM

yea its NT 4.0 all patches installed. I found the security hole in which they got in. The secretary who setup the last page in iis forgot to disable anon login. The webserver host MANY webpages and she simply missed this one. I disabled the anon login and the bandwidth on the server went down from 6 meg per sec to the normal 20k per sec.

and the cd CON..1~1 did not work. Im sure it was used as warez but now its not even though its still there. Im just interested in seeing what it was they uploaded 30 gigs worth of.

***CXGJarrod*** · January 23rd, 2004, 11:26 PM

I dont have an NT system laying around but that ususally works on my 2000 box. What are the security permissions set on the folder? It also might be time to reformat the machine and start over because you never know what they could of installed on the server. (Remote access software, viruses or other great stuff) Do you have antivirus or a trojan cleaner on the computer. (Just to make sure)

Its probably just 30 gigs of porn so the hacker can share with all his friends..

**Nichole** · January 23rd, 2004, 11:28 PM

ROFLMAO

**SinepTaf** · January 23rd, 2004, 11:37 PM

see thats the strange part when I click on the permissions on the strange folder it says The system can not find the file specified. Its there because the properties on the /_vti_pvt folder says 30 gigs. then the properties on the only other sub directory under _vti_pvt shows 0 bytes and only the 9 folders. so the 30 gigs worth of stuff HAS to be in the strange folder. but let me post this screen see the difference in how a normal nt folder shows up in properties as to how this strange one does.

**Modderfokker** · January 23rd, 2004, 11:44 PM

There is a way to hide folders not from view but from others accessing them. I saw it a while ago, you include the null character (ascii code: 255) which is nothing (not a character, similar to space) and can be implimented but only through msdos, so if you try to access it through windows it knows it cant have null in the name and stuffs up. So it would be worthy looking it up.

**slick8790** · January 24th, 2004, 01:41 AM

If modderfokker is right, then what you want is here . Try this out, and see if it works.

slick

**576869746568617** · January 24th, 2004, 02:06 AM

Just some FYI...

If you're doing all this stuff on the actual drive that has been hacked, STOP!

If you intend to prosecute the hacker (provided you can uncover his/her identity), you need to work within the legal framework of forensic investigations. Most notably, it is critical for the forensic data to be authenticated as genuine.

Many of the actions you might take, including rebooting the machine, copying files from the server, and reviewing security logs, can alter the drive data. Also, by demonstrating due diligence, you minimize the risk of a third party taking legal action against you if the hacker is putting copyrighted material on your systems or using the system as a springboard to hack other systems.

A particularly important legal case, "Gates Rubber Co. vs. Bando Chemical Indus, Ltd," helped define the mandatory legal duty of a forensic investigator with regard to creating a mirror image copy of the hard drive in a manner that maintains chain of evidence and custody. In that case, the investigator's decision to perform logical "file-by-file" copying to preserve the evidence precluded legal use of the data because the copying might have resulted in lost information and the creation of new temporary files on the media.

A great package to use is Encase (that's what the Feds use). It's pricey, but definately worth the money if you can afford it. They offer a free demo version that has the functionality you need, but it's only available on CD, so you'll have to wait a few days for the CD if you want to use it. You can use Ghost as well, but you'll need to do this from another machine. (You don't want to add to or take away from the original drive).

I'd advise you to visit the AO Computer Forensics forum. There's a wealth of info on tools, most of which are freeware, that will do an adequate job, as well as some very knowledgeable people (groovicus, MsMittens, magnoon, et. al.)

They should be of great help.

Thread: My companys webserver hacked

Thread Tools

Display

My companys webserver hacked

Posting Permissions