|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Mystery DirectoriesI think my server has been hacked. I found two directories burried in the
system which seem to have no lable (name). When I open the directories I see what looks like binary characters. Eventually when I reach the bottom I do see discernable names like "the dude" and "the dudu." I ran McAfee (7.1 scan engine) and it didn't detect any virus, though while scanning I noticed and vew .avi files. I've logged in as Adimistrator and tried to delete these directories, but couldn't. Any ideas are greatly appreciated Cheers, Mac -- We are not Borg...
Show quote
Hide quote
"RMac" <macma***@yahoo.com.(donotspam)> wrote in message It appears you have been assimilated.news:842217C1-2994-4333-A110-BCF0044B21BE@microsoft.com... >I think my server has been hacked. I found two directories burried in the > system which seem to have no lable (name). When I open the directories I > see > what looks like binary characters. Eventually when I reach the bottom I > do > see discernable names like "the dude" and "the dudu." I ran McAfee (7.1 > scan > engine) and it didn't detect any virus, though while scanning I noticed > and > vew .avi files. > > I've logged in as Adimistrator and tried to delete these directories, but > couldn't. > > Any ideas are greatly appreciated > > Cheers, > > Mac > -- > We are not Borg... The standard response is that a rebuild from fresh format up is in order if you want to regain control of your system with absolute certainty. You can attempt a cleaning, but just removing the storage that is now being used is not the main part of that effort. Finding how the system was penetrated, and what was installed is. To attempt that one usually will spend more time than one does with a fresh format/install, and even after having done that, one really cannot be certain that all has been cleaned without offline analysis of the system and comparison to a clean reference system. Again, it is quicker to rebuild. Roger Roger,
Thanks you for the response. I was hoping not hear this news, however, I think you are right. Assimilation hurts. :-) Cheers, Mac -- Show quoteHide quoteWe are not Borg... "Roger Abell [MVP]" wrote: > "RMac" <macma***@yahoo.com.(donotspam)> wrote in message > news:842217C1-2994-4333-A110-BCF0044B21BE@microsoft.com... > >I think my server has been hacked. I found two directories burried in the > > system which seem to have no lable (name). When I open the directories I > > see > > what looks like binary characters. Eventually when I reach the bottom I > > do > > see discernable names like "the dude" and "the dudu." I ran McAfee (7.1 > > scan > > engine) and it didn't detect any virus, though while scanning I noticed > > and > > vew .avi files. > > > > I've logged in as Adimistrator and tried to delete these directories, but > > couldn't. > > > > Any ideas are greatly appreciated > > > > Cheers, > > > > Mac > > -- > > We are not Borg... > > It appears you have been assimilated. > The standard response is that a rebuild from fresh format up > is in order if you want to regain control of your system with > absolute certainty. > You can attempt a cleaning, but just removing the storage that > is now being used is not the main part of that effort. Finding > how the system was penetrated, and what was installed is. > To attempt that one usually will spend more time than one does > with a fresh format/install, and even after having done that, one > really cannot be certain that all has been cleaned without offline > analysis of the system and comparison to a clean reference system. > Again, it is quicker to rebuild. > Roger > > > "RMac" <macma***@yahoo.com.(donotspam)> wrote in message This is probably what is called pubstro or ftp tagging. More information news:842217C1-2994-4333-A110-BCF0044B21BE@microsoft.com... >I think my server has been hacked. I found two directories burried in the > system which seem to have no lable (name). When I open the directories I > see > what looks like binary characters. Eventually when I reach the bottom I > do > see discernable names like "the dude" and "the dudu." I ran McAfee (7.1 > scan > engine) and it didn't detect any virus, though while scanning I noticed > and > vew .avi files. here: http://securityadmin.info/faq.asp?ftpfolder If the system was installed with an FTP server running, such as IIS FTP, and these files were in the system's FTP folder share, then this might not be a hack worthy of a format and a reinstall. But if the folder was located elsewhere on the system, or if an FTP service such as Serv-U FTP was installed by an intruder, then that indicates that the attacker was able to remotely execute code on your system. Note that with ftp tagging, the attackers very rarely look at or care what is on your system, the goal is just to scan as many systems as quickly as possible via an automated scanning tool. However, it also probably indicates that your system had a pretty significant and well known security vulnerability such as a missing critical patch or an insecure configuration that another attacker might or might not have also exploited. If you do format and reinstall, make sure it is done using a good secure process, including installing all security patches and choosing secure configuration settings, or you will be compromised again. -- kind regards, Karl Levinson, CISSP, CCSA, MCSE [MS MVP] -------------------------------- Microsoft Security FAQ: http://securityadmin.info 
Other interesting topics
Account Logon Time Restriction
"Force shutdown from a remote system" Changing process priorities of normal users security and pipes explained Account membership changed/dissapeared off welcome screen User Restictions on a Standalone Machine Autoenrollment of Certificate ISA 2000 ie Tool to search for security groups |
|||||||||||||||||||||||
