Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacker broke in and deleted files from folders!!!

Status
Not open for further replies.
WebHedon

WebHedon

Technical User
Sep 10, 2003
5
US
Hello all. We just had a little attack on our organizations win2k server. I noticed on monday that when I tried to open the website I have been working on, which was saved in the Inetpub > folder on the server, all of the folders and files except for the _notes folder were deleted. Oddly enough, right inside of the Inetpub directory are now about 5 blank, unnamed folders, but when I check the properties of the folders, they each are exactly 1.08 gigs. But, we can't open the folders, rename them, or move them, and I think they are blank so they elude the searches for the files.

We think the hacker could have gotten on via one of the employees' laptops which they use for business and pleasure, but we aren't sure how to prevent it from happening again, or how to trace who did it, or how to find the missing files.

Has anyone ever encountered anything like this before?? Please help if you know anything about this.

Thanks in advance,
Jesse <-- WebHedon
 
Sort by date Sort by votes
I work the abuse department.

Right now, one of our customer had left an unpatched win2k box outside of his firewall, and it got owned. Then when we told him his mail server was being used as an open relay, he took the box and put it BEHIND his firewall..(and nothing else).

Then all of the sudden, his other mail server in ANOTHER city started sending spam too. THEN he started acting. and that's when he noticed the perpretators had added users and modified his exchange configs on both server, and used the vpn to pass from site A to site b.

Believe me man, it could be worse. Because this guy essentially fscked himself over by allowing something not secure/safe inside his network.

So follow the steps to immediate recovery.
1) UNPLUG THE SERVER
2) FIND THE BACKUPS
3) (optional) pray to the $deity that your backups are actually functionnal.

And then immedialty start a security audit.If then got in once, they probably have had access to everything else in that subnet, or that network.

Good luck.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
305
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
260
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
220
Nitta84
Nitta84
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
165
hairlessupportmonkey
hairlessupportmonkey
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
83
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top