OK, I had just installed Win2K server with SP2 and all the hotfixes on a
server and given it a public IP. Terminal services was also installed.

Within a few days I noticed that outbound traffic from the server was
quite high so I fired up etherpeek and found that FTP was being used to
transfer MP3 files from the machine to an address on telia.com.

After pulling the network plug I checked out the hard drive. The
"groups" directory was 4 GB! In the folder for one of the websites,
there was a directory called "com1" which I was unable to open. When I
double clicked on the folder in explorer, the window froze. When I used
dos and tried to cd to the directory it returned an error of "the
parameter is incorrect."

I also noticed that my internet services control panel is now completely
missing.

What happened? Rather, how was this machine exploited so quickly and
with all the latest fixes?

It was running IIS5.

Dan Norton
Network Administrator

deveynaol.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]