Re: Hacked web server

From: John Pugh (JPugh@novell.com)
Date: 01/21/03

Next message: Jose Nazario: "Re: Openbsd 3.2 wtmp delay and named backdoor"

Previous message: Tino Didriksen: "mIRC Zombie, port 445"
Maybe in reply to: Rogelio Vidaurri Courcelle: "Hacked web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 20 Jan 2003 19:38:26 -0700
From: "John Pugh" <JPugh@novell.com>
To: <rvidaurri@haciendachiapas.gob.mx>, <ryany@pantek.com>

Very good points indeed.

Consider that we do not know what we do not know. For instance, the
aforementioned person below "thought" that everything was up to date.
Even applying manual updates or allowing someone to "automatically"
apply updates still leaves the question...am I really secure? With the
hundreds...yes literally hundreds of security issues with one
unmentioned product, there is no reasonable way of imagining your
computer/network is secure because you do not know what you do not
know.

When using technology that has a bad reputation, you have to expect the
unexpected. Therefore if you expect to be secure you must employ many
methods of detecting the unexpected. Case in point is NIMDA. I still see
NIMDA or NIMDA like hits proving that even though this is a widely known
problem, there are many infected hosts that continue to run.

Unless we all discontinue using products that have a high security
risk, we will have to employ many methods to detect those who do not
consider security to be a priority.

>>> Ryan Yagatich <ryany@pantek.com> 1/17/03 11:53:05 AM >>>
Hi all,
As the answer to this has already been mentioned (iis unicode),
I
will skip the details behind it. My question is actually related to a
more
broader topic.
This is a case where a party utilizes their firewall to keep
their
network secure, as well as applying Microsoft Service Packs to their
systems behind it. The problem that I see with this is that many NT
administrators that I come across all have the same notion in mind that
as
long as they apply the latest service pack to their systems, whether it
be
immediately after it comes out, or a day or so after, they believe that

the system is declared secure.
As many people know, and many do not, Microsoft releases
security
bulletins regularly which patch vulnerabilities and the such. If the
administrator is using Microsoft Windows 2000, XP (or maybe others by
now)
Microsoft has created the 'auto update' scheduler which runs regularly

'behind the scenes' that the administrator can use to have it
automatically apply these patches.
How is it that with services like this available that people are

still not aware of them? Or, could it be that they are well aware of
them
but are falling victim to the notion that there really is no need for
security in general, and that they are not at risk?
Then we have the firewall. Again, many people believe that a
firewall alone protects their network. In some scenarios you have
firewalls that are performing (e|in)gres filtering, and some that are
just
machines with NAT on them being called a firewall. What about the other

elements of a firewall? What about proxying, IDS's, monitoring, and
integrity? What about protecting the firewall itself?
So we have basically a world of technology where security is not

really a big concern to many, which then introduces the fact that they
are
either uneducated or have insufficient funds to keep their systems
secure.
(yes there are more, but I'm just covering the basics here). So the
next
question is, how does the security community 'bridge the gap' between
the
people who are either uneducated enough or educated and not able to
afford
the security with that of a company/individual who is willing to 'make
the
sacrifice'?
From my experience, the only real time when someone is
interested
in the security, at least interested being willing to move forward, is
if
their systems are compromised either once or many times over. The other

side of this is persistence, I worked with a company at one point where

they swore up and down that their systems were secure, exactly by the
method as the email snippet from below. Over time, I continued to
persist
and state that services packs and firewalls are not the only elements
of
security. What wound up happening? Eventually they gave in and said
'here,
go ahead and try to prove us wrong', and sure enough 15 minutes later
their primary web server was found to be vulnerable to several
different
vulnerabilities.
So, we have 2 scenarios where we can broadcast this information

out, but since the world contains so many information systems that
contain
only the 'latest service pack', its almost overwhelming as to what to
do
to alert these people of the problems.
My final question now, is, how are we to really communicate with

the rest of the world with information like what is mentioned above?
There
are many companies out there which have been trying to advertise this
information out to the world, but they usually get the typical
responses
declining the services.
I am interested in hearing from both sides of this, from the
sides
of the people whom have had experience in dealing with this common
scenario as well as those whom decline security services like IDSs and
the
such.

Thanks,
,_____________________________________________________,
\ Ryan Yagatich support@pantek.com \
/ Pantek Incorporated (877) LINUX-FIX /
\ http://www.pantek.com/security (440) 519-1802 \
/ Are your networks secure? Are you certain? /
\___1E3695185FDAB9800641B94CC170FB8267C18DF695784F22___\

On Fri, 10 Jan 2003, Rogelio Vidaurri Courcelle wrote:

>Hi... my web server (NT 4.0 SP6a) was hacked last friday, it has only
>one NIC with a public IP
>we have an OpenBSD Firewall (PF) that filters both incoming and
>outcoming traffic.... this firewall has no ip addresses.....
>external users have access to our web server only by port 80...
>we had a popup window in our default page.... i dont know if that's
why
>he could hack our server.... i'm not an expert in these.. i'm a
>begineer.....
<SNIP>....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Jose Nazario: "Re: Openbsd 3.2 wtmp delay and named backdoor"
Previous message: Tino Didriksen: "mIRC Zombie, port 445"
Maybe in reply to: Rogelio Vidaurri Courcelle: "Hacked web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How to secure IIS?
... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
(microsoft.public.inetserver.iis.security)
RE: Hacked web server
... *good thing* that makes computer systems more secure. ... Many computerized systems would be far better off (more secure, ... and maybe even telephones provided the staff receive proper security ... machines with NAT on them being called a firewall. ...
(Incidents)
Re: Wanting To Try FreeBSD: Security Question.
... How hard is it to secure FreeBSD for a desktop computer? ... The relatively minimal pf.conf file for the firewall I run on my laptop, ... A firewall is not the end of all your security needs. ...
(comp.unix.bsd.freebsd.misc)
RE: Secure Surfing
... Subject: Secure Surfing ... the hardware device is a firewall that drops all ... Concerned about Web Application Security? ... Download FREE whitepaper on how a managed service can ...
(Pen-Test)
Re: Hacked web server
... long as they apply the latest service pack to their systems, ... the system is declared secure. ... machines with NAT on them being called a firewall. ... how does the security community 'bridge the gap' between the ...
(Incidents)