IIS web server hacked..any tips?

From: Francesco (francesco_at_blackcoil.com)
Date: 12/15/04

Next message: Curt Purdy: "RE: IIS web server hacked..any tips?"

Previous message: Jez Han***: "Re: PHP injection attempt from 200.222.244.154"
Next in thread: Curt Purdy: "RE: IIS web server hacked..any tips?"
Reply: Curt Purdy: "RE: IIS web server hacked..any tips?"
Reply: xyberpix: "Re: IIS web server hacked..any tips?"
Reply: Sam Evans: "Re: IIS web server hacked..any tips?"
Reply: Christopher Day: "RE: IIS web server hacked..any tips?"
Maybe reply: Gary Nichols: "RE: IIS web server hacked..any tips?"
Reply: Tim Igoe: "Re: IIS web server hacked..any tips?"
Reply: Jim Tuttle: "RE: IIS web server hacked..any tips?"
Reply: Barrie Dempster: "Re: IIS web server hacked..any tips?"
Maybe reply: Roger McLaren: "Re: IIS web server hacked..any tips?"
Reply: cta_at_hcsin.net: "Re: IIS web server hacked..any tips?"
Maybe reply: Adrian Marsden: "RE: IIS web server hacked..any tips?"
Maybe reply: Richard.Grant_at_ky.gov: "RE: IIS web server hacked..any tips?"
Reply: K.M. Jeary: "Re: IIS web server hacked..any tips?"
Maybe reply: David LeBlanc: "RE: IIS web server hacked..any tips?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com
Date: Wed, 15 Dec 2004 08:23:40 -0800

I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is
additionally protected by authentication.

Yesterday someone managed to access the server and dump 8GB of DVD files
into a deeply nested folder in a backup directory, for sharing I
presume. The payload folder was NOT within the available folders given
access to FTP users. Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.

I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?

Francesco

Next message: Curt Purdy: "RE: IIS web server hacked..any tips?"

Previous message: Jez Han***: "Re: PHP injection attempt from 200.222.244.154"
Next in thread: Curt Purdy: "RE: IIS web server hacked..any tips?"
Reply: Curt Purdy: "RE: IIS web server hacked..any tips?"
Reply: xyberpix: "Re: IIS web server hacked..any tips?"
Reply: Sam Evans: "Re: IIS web server hacked..any tips?"
Reply: Christopher Day: "RE: IIS web server hacked..any tips?"
Maybe reply: Gary Nichols: "RE: IIS web server hacked..any tips?"
Reply: Tim Igoe: "Re: IIS web server hacked..any tips?"
Reply: Jim Tuttle: "RE: IIS web server hacked..any tips?"
Reply: Barrie Dempster: "Re: IIS web server hacked..any tips?"
Maybe reply: Roger McLaren: "Re: IIS web server hacked..any tips?"
Reply: cta_at_hcsin.net: "Re: IIS web server hacked..any tips?"
Maybe reply: Adrian Marsden: "RE: IIS web server hacked..any tips?"
Maybe reply: Richard.Grant_at_ky.gov: "RE: IIS web server hacked..any tips?"
Reply: K.M. Jeary: "Re: IIS web server hacked..any tips?"
Maybe reply: David LeBlanc: "RE: IIS web server hacked..any tips?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]