General discussion

Locked

We were hacked...

By gregberry ·
We have two new w2k servers (web & sql) that are both running IIS (the web is also running ftp). Some hackers broke in and created directories for storing mp3s, movie's etc. I am trying to delete these directories, but I get an error: cannot readfrom the source file or disk. How do I delete these directories (these directories main directory is just spaces instead of letters or numbers. I am also getting the following error in event viewer a lot (does this mean anything)?

Event Type: Error
Event Source: NetDDE
Event Category: None
Event I 206
Date: 2/21/2002
Time: 4:26:54 AM
User: N/A
Computer:
Description:
Listen failed: 15:

Please help... Thanks!

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

We were hacked...

by gregberry In reply to We were hacked...

Newest security patches are installed from Microsoft

Collapse -

We were hacked...

by Joseph Moore In reply to We were hacked...

I think check Services and stop the Network DDE and/or the Network DDE DSDM services. Normally, they do not run and are set to Manual. Set them to Manual in case they have been changed

Try that, reboot, and then make sure neither service started back up. Then try to delete the folder.

After that, you need to review your lockdown procedures and password settings. Here is a URL for a Microsoft IIS security document:
http://www.microsoft.com/mspress/books/sampchap/4293.asp

And look into the IIS lockdown tool:
http://www.microsoft.com/downloads/release.asp?ReleaseID=33961&area=search&ordinal=2
(please remove any spaces)

good luck

Collapse -

We were hacked...

by gregberry In reply to We were hacked...

services were set to manual, could not delete the files, already applied security patch.

Collapse -

We were hacked...

by XpertDragon In reply to We were hacked...

Sorry to hear that were hacked. Servers in particular that are running web services tend to be at a higher risk of hacker attack when not secured properly. Not exactly sure what I can tell you about educating yourself and or your staff about server security.

Head over to Microsofts security oriented page and request a FREE copy of their security tool-kit CD for your organization.....its straight forward and easy to use to apply patches and Microsoft related fixes on servers. its locatedat: www.microsoft.com/security

Also, visit sites such as www.secadmin.com, to get up to date on common security issues.

That error message that you are receiving appears to be a Port error on your server, and many other open ports may be servering as a backdoor method of how the hackers breached your server in the first place.

Best of Luck.....total security and a secure state of mind is an uphill battle.

Paul M. Chavez

Collapse -

We were hacked...

by gregberry In reply to We were hacked...

already downloaded security patches

Collapse -

We were hacked...

by Raffi_ In reply to We were hacked...

I saw another box like this. I had to recall all of my old DOS skills to kill those directories. Including using the ALT keypad sequence for a "space" character - ALT 32 I think.

The other choice you have - if it is not a system drive - is to move everything off that drive/partition and format it. Then move everything back on.

I did not trust that machine after the attack and I strongly suggessted that it be wiped and re-installed. That is what we ended up doing.

NetDDE by the way could be giving the attacker ongoing access to that machine. Kill the service and change all of your passwords on any machines that may be connected to that one. I think you should assume the worst here.

Collapse -

We were hacked...

by gregberry In reply to We were hacked...

I tried what you suggested, while it does put the spaces in it still will not delete.

Collapse -

We were hacked...

by gregberry In reply to We were hacked...

we have ms ISA server installed.

any idea on how to delete folders with spaces in the names (before and after name of folder)

The error I am getting is...
Cannot Delete File: Cannot read from the source file or disk.

I shut the NetDDE services down.

Collapse -

We were hacked...

by robert_marino In reply to We were hacked...

Open a command prompt and change to the drive that the folder was created and type: dir /x. This will give you the short name of the folder. Then use the short name to delete the folder.

The hackers might have used a space or some type of charecter that will not be displayed when doing a regular directory listing.

Hope this helps.

Collapse -

We were hacked...

by gregberry In reply to We were hacked...

won't work because the directory is just spaces.

Back to Windows Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums