Hello,

This week we got a call from our security guys informing
us that the web server got hacked. Upon investigation,
I've found compressed MP3 files that were distributed
from this server.  Security guys informed me that the
break-in was probably done using MS FrontPage extension
hack.  I've taken steps to harden the server by doing the
following:
Scanned entire server for virus
Locked down IIS server using MS lockdown tool (only .ASP
is allowed to
run) Renamed iisstart.asp, _vti_inf.html, postinfo.html
in c:\csbo Changed web directory security of _vti_bin
from anonymous to windows authentication only

The firewall allows connection from our subnet without
restriction, but just port 80 and 443 from any other.

We are setting up a new server to replace this one but at
the same time we are trying to clean this server up, but
we cannot delete the folders they have created or some of
the files. The folders either have blanks in them or are
name .d%.com1  1:2  and other versions. IS there any way
we can clean up this server and delete this folders and
files. Also they have changed permissions on some of the
folders that we cannot change back.

Or if anyone knows any articles so we can lock down the
new server so this ddoes not happen again. We had
followed this
http://www.microsoft.com/technet/pr...l/windows2000se
rv/technologies/iis/tips/iis5chk.mspx when we set up this
server that got hacked.

Any help on this matter would be greatly appreciated.

TIA

Mike.

[ Post a follow-up to this message ]

Hi Mike,

to get back access to your files follow following article.

HOW TO: Take Ownership of Files
http://support.microsoft.com/defaul...ben-us%3b120716

I hope this helps you out,

Mike

"Mike" <rsam2242@hotmail.com> wrote in message
 news:2133001c45af0$031d4fc0$a601280a@phx
.gbl...
> Hello,
>
> This week we got a call from our security guys informing
> us that the web server got hacked. Upon investigation,
> I've found compressed MP3 files that were distributed
> from this server.  Security guys informed me that the
> break-in was probably done using MS FrontPage extension
> hack.  I've taken steps to harden the server by doing the
> following:
> Scanned entire server for virus
> Locked down IIS server using MS lockdown tool (only .ASP
> is allowed to
> run) Renamed iisstart.asp, _vti_inf.html, postinfo.html
> in c:\csbo Changed web directory security of _vti_bin
> from anonymous to windows authentication only
>
> The firewall allows connection from our subnet without
> restriction, but just port 80 and 443 from any other.
>
> We are setting up a new server to replace this one but at
> the same time we are trying to clean this server up, but
> we cannot delete the folders they have created or some of
> the files. The folders either have blanks in them or are
> name .d%.com1  1:2  and other versions. IS there any way
> we can clean up this server and delete this folders and
> files. Also they have changed permissions on some of the
> folders that we cannot change back.
>
> Or if anyone knows any articles so we can lock down the
> new server so this ddoes not happen again. We had
> followed this
> http://www.microsoft.com/technet/pr...l/windows2000se
> rv/technologies/iis/tips/iis5chk.mspx when we set up this
> server that got hacked.
>
> Any help on this matter would be greatly appreciated.
>
> TIA
>
> Mike.
>

[ Post a follow-up to this message ]

On Fri, 25 Jun 2004 13:07:16 -0700, "Mike" <rsam2242@hotmail.com>
wrote:

>Hello,
>
>This week we got a call from our security guys informing
>us that the web server got hacked. Upon investigation,
>I've found compressed MP3 files that were distributed
>from this server.  Security guys informed me that the
>break-in was probably done using MS FrontPage extension
>hack.  I've taken steps to harden the server by doing the
>following:
>Scanned entire server for virus
>Locked down IIS server using MS lockdown tool (only .ASP
>is allowed to
>run) Renamed iisstart.asp, _vti_inf.html, postinfo.html
>in c:\csbo Changed web directory security of _vti_bin
>from anonymous to windows authentication only
>
>The firewall allows connection from our subnet without
>restriction, but just port 80 and 443 from any other.
>
>We are setting up a new server to replace this one but at
>the same time we are trying to clean this server up, but
>we cannot delete the folders they have created or some of
>the files. The folders either have blanks in them or are
>name .d%.com1  1:2  and other versions. IS there any way
>we can clean up this server and delete this folders and
>files. Also they have changed permissions on some of the
>folders that we cannot change back.
>
>Or if anyone knows any articles so we can lock down the
>new server so this ddoes not happen again. We had
>followed this
>http://www.microsoft.com/technet/pr...l/windows2000se
>rv/technologies/iis/tips/iis5chk.mspx when we set up this
>server that got hacked.
>
>Any help on this matter would be greatly appreciated.
>
>TIA
>
>Mike.

Mike,

Are you running an FTP server ? Is anonymous access enabled ? Can the
anonymous user account upload files to your server ?

If the answer to the above questions is yes then I suggest you disable
anonymous access for now and try this KB article for removing the
files you are struggling to delete :

You cannot remove suspicious folders from the FTP file structure
http://support.microsoft.com/?id=811176

Then take a look at these articles :

http://securityadmin.info/faq.asp#hackerstoc

http://securityadmin.info/faq.asp#hacked


Regards,

Paul Lynch
MCSE

[ Post a follow-up to this message ]

This is in the FAQ.  See:  http://securityadmin.info/faq.asp#ftpfolder   You
need to also close the hole that allowed this in, in addition to deleting
the folder.  The security issue permitting this to happen is probably a very
old one, so see also:

http://securityadmin.info/faq.asp#harden


"Mike" <rsam2242@hotmail.com> wrote in message
 news:2133001c45af0$031d4fc0$a601280a@phx
.gbl...
> Hello,
>
> This week we got a call from our security guys informing
> us that the web server got hacked. Upon investigation,
> I've found compressed MP3 files that were distributed
> from this server.  Security guys informed me that the
> break-in was probably done using MS FrontPage extension
> hack.  I've taken steps to harden the server by doing the
> following:
> Scanned entire server for virus
> Locked down IIS server using MS lockdown tool (only .ASP
> is allowed to
> run) Renamed iisstart.asp, _vti_inf.html, postinfo.html
> in c:\csbo Changed web directory security of _vti_bin
> from anonymous to windows authentication only
>
> The firewall allows connection from our subnet without
> restriction, but just port 80 and 443 from any other.
>
> We are setting up a new server to replace this one but at
> the same time we are trying to clean this server up, but
> we cannot delete the folders they have created or some of
> the files. The folders either have blanks in them or are
> name .d%.com1  1:2  and other versions. IS there any way
> we can clean up this server and delete this folders and
> files. Also they have changed permissions on some of the
> folders that we cannot change back.
>
> Or if anyone knows any articles so we can lock down the
> new server so this ddoes not happen again. We had
> followed this
> http://www.microsoft.com/technet/pr...l/windows2000se
> rv/technologies/iis/tips/iis5chk.mspx when we set up this
> server that got hacked.
>
> Any help on this matter would be greatly appreciated.
>
> TIA
>
> Mike.
>

[ Post a follow-up to this message ]