BIN Directory being hidden automatically

BIN Directory being hidden automatically

am 31.03.2006 01:13:44 von T-1000

For some reason all of the BIN folder in any IIS virtual servers are
being hidden automatically. I don't mean hidden from the .net
application, but simply hidden. They are visible only via FTP or
command prompt, but not explorer (regardless of folder options.)

There have been no changes made to IIS or directories in the past few
days, and it started this morning.

Any ideas as to what is going on here? Sound like a virus?

Re: BIN Directory being hidden automatically

am 31.03.2006 01:16:11 von T-1000

also, if the bin directory is removed, and a new one created, the new
one is instantly hidden as well.

Re: BIN Directory being hidden automatically

am 31.03.2006 01:25:10 von T-1000

update: ANY bin directory anywhere on the server is hidden instantly

windows 2003 server

Re: BIN Directory being hidden automatically

am 31.03.2006 06:49:44 von Bernard

For .net framework installed web, the folder is protected.
For ftp site, I can't repro you claim. I created a 'bin' folder and I can
see it via ftp.exe and my IE

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"T-1000" wrote in message
news:1143761110.729745.281630@v46g2000cwv.googlegroups.com.. .
> update: ANY bin directory anywhere on the server is hidden instantly
>
> windows 2003 server
>

Re: BIN Directory being hidden automatically

am 31.03.2006 08:55:47 von T-1000

a backdoor (hacdef) was found... so this is the result of someone with
malicious intent... so now the question is, how could they do that?

Re: BIN Directory being hidden automatically

am 31.03.2006 11:12:51 von Bernard

wow! so they configure the OS not to display /bin folder?
how? no idea. if you still have all the logging, firewall/proxy/IDS/event
viewer/iis/ etc log, then you can slowly analyze to see any suspicious
trace. but this would be quite tough

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"T-1000" wrote in message
news:1143788147.309956.320100@u72g2000cwu.googlegroups.com.. .
>a backdoor (hacdef) was found... so this is the result of someone with
> malicious intent... so now the question is, how could they do that?
>