Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

InetPub/Scripts directory has over 42,000 files. Can I Delete?

Status
Not open for further replies.
pixelp

pixelp

MIS
Oct 5, 2001
6
US
Im new to W2K servers so bear with me. Im used to Unix OS.
Im helping a company out with thier 2000 servers. Their C drive is full, in cleaning up I noticed that Inetpub/scripts has over 42,000 script files, most starting with TFTP or something like that. I have determined that this area is for ftp access and understand that this is where hackers can get info.
Can I delete these files? What are they? If its from hackers can I do some more research to determine from where? This company has been suspicious of hacker attacks so its possible.
I guess my overall question is can I delete these and if not what are they used for? Seems excessive.....
Thanks for any info!
 
Sort by date Sort by votes
Ok, heres an update of what I have found out so far.
We were indeed hacked on Sept 18th, 2001. The hacker apparently wanted to change our default.html but we do not use our W2k server as an IIS Server so it went unnoticed until the C drive filled up.
The C drive was full of Trivial File Transfer Protocol files in /Inetpub/scripts
I have moved them off that drive for now to isolate them but all the default html files are now his obscene webpage.
I also noticed an Admin.dll file dated the same day. My other server does not have the .dll file on it (or any other extraneous files) so now Im wondering if I need to delete this as well to prevent further floods of the TFTP files.
Im checking into firewalls now but Im seriously considering shutting off the ftp port. But I have no idea how to do that. Any help is greatly appreciated!
 
Upvote 0 Downvote
Yeah, common problem with typical win2k installs...(pre sp2) is that it enables iis automatically. I'd suggest putting admin services on DISABLED, take any sharing you have on \inetpub off (default is c:\) - remove the admin share ($c) or reset the admin password asap.

On your firewall, depending on what type it is, blocking ports should be pretty straight forward. Firewalls usually block all incoming ports and its your responsibility to open/forward the ones you need for your various services.

I suspect this isn't the case with your firewall since you've had port21/80 open. My best guess is that you were hacked through port 80 because your win2k box isn't patched. Visit MS technet and get the latest patches.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
229
microsGuy16
microsGuy16
julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
84
julis2103
julis2103
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
221
fightaccording
fightaccording
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
330
goombawaho
goombawaho
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top