Hacked IIS?

[frosty7700]

One of my client's have a really bizarre problem on their NT Server. It is running IIS. Within the

http://wwwroot

directory, a folder was somehow created called " ;;; ... NuKeB TaG ... ;;; " or some similar hack-kiddie drivel, and beneath that another folder with a similarly cheesy name. THIS folder in turn contained more folders containing arachived (RAR, I believe) computer games...at least what appeared to be computer games based on searches on the directory names on Google. The running theory is that someone got onto this server and has tried to use it as a distribution point for ripped software, or merely did this as a prank. In any event, I set all of the stuff to Read-Only and cut off all access for Internet users. I also deleted the files and directories containing them. HOWEVER, the two parent folders described above won't die...whenever I try to do anything to them (delete, rename, move, etc.), I get a "cannot find specified file" error. I checked the permissions on them but can't figure out what the deal is. This is pretty messed up...though I am moderately impressed. I think I already plugged a rather glaring security hole that may have been used (or created...), but ideas for killing these folders would be nice.

 

[bomby]

I'm all pretty new to this, however just 10 days ago I had the same problem here, turned out W32.Nimda.A@MM (dll Virus) was the culprit, it also created numerous files in my script directory. Sneaks in though a security hole in IIS 4 & 5.

Had to completely uninstall the IIS, clean the registery (after copying my settings) then reinstall to get rid of the "dummy" directorys.

MS Technet has a fix to avoid this gremlin.

Hope this helps