One Client Site Hacked
Disclaimers: (so we can hopefully get right to the meat of the situation and skip the things that I should/do already know and have in place.
1. I do not have anonymous FTP enabled on ANY of my sites/servers.
2. All my patches ARE up to date ( always)
3. My "resellers" or designers - do not have the permissions ability to toggle anonymous FTP on or off.
4. My administrator password is changed regularly and is a "strong" password.
Now to the request for help.
One of the sites on my Windows 2000 server has recently been exploited - to the tune of 8.3 GB of used space. When I started receiving bandwidth notices last week, and notice this morning that I had ZERO space to upload files to a different site on this server, I began looking into the cause.
Anyway - I found the rogue files/folders/directories and they go many, many levels deep - with non-standard file names of course. As I navigate all the way to the bottom of some of them - it's evident that they were uploading DVDs to this domain (not the owner of the domain - the hacker(s)). It is ALL contained within this single domain - no other intrusion anywhere on my server - which leads me to believe that this particular designer's password was cracked - not the server password.
Nevertheless - I immediately changed the server password, and the password to the domain itself, and notified the domain owner that his own machine may have been compromised since it appears to be confined to only his website account. He has no access to the site now until I complete the cleanup.
The cleanup is not working. I cannot delete these files/folders - either through the file directory structure itself, through the command line DOS (this excerpt from one website that I've been working through various fixes: "I would get about four subdirectories down and it wouldn't let me cd to the next directory down (in this case, named "con"), so I couldn't get to the bottom of the tree to delete from there up." - is my exact same problem), or using a program called Tritafile which worked for the person whose comment I excerpted, but is not working on my server. FYI - the link to this particular googled set of solutions is http://www.msfn.org/board/index.php...opic=8509&st=10
Any suggestions from someone who has been through this?
This is a Windows 2000 server.
(followup)
I've managed to get it down to 3.9 GB from the 8.3 GB earlier - but there's a mess of directories & subdirectories that just will not budge.
Navigating down the tree from within the DOS prompt doesn't help because I can't get all the way to the bottom to work backwards.
Much appreciation for suggestions to try.
(followup)
FYI - I have now tried several of the Microsoft KB suggestions - including:
DEL \\.\C:\sharename\reseller\domainuser\domain.com\www\5444948.137, Are you sure (Y/N)? y
And it simply returns the prompt again. The directory is not deleted.
I have also tried
use dir /X to get the 8.3 folder name (doesn't work)
then RD /S and path\8.3 foldername (tried using one of the dir names that is not more than 8 characters - also didn't work on that dir)
I did bounce the server, in the hopes that it would jog the stuck folders - then tried the Tritafile program again - and THOUGHT it worked - until I realized that it didn't actually shred the files/directory - it reappeared with a new name with all the subdirectories intact under the new name.
(followup)
Have tried stopping IIS service (duh) - THEN deleting - still won't go away. Removed the site in hosting Controller. Won't go away, although now the DNS entries are gone (not a biggie - my thought process on this one was to remove the site altogether and recreate it - on this server or one of my other servers - from scratch)
Could use some help if anyone has suggestions that I haven't tried yet or comments on something I didn't quite try correctly.
Many thanks. I've been working this on my own for the past 8+ hours.
