RE: IIS web server hacked..any tips?

• Previous message: Francesco: "IIS web server hacked..any tips?"
• In reply to: Francesco: "IIS web server hacked..any tips?"
• Next in thread: xyberpix: "Re: IIS web server hacked..any tips?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Francesco'" <francesco@blackcoil.com>, <incidents@securityfocus.com>
Date: Wed, 15 Dec 2004 15:11:29 -0600

Francesco wrote:
> Yesterday someone managed to access the server and dump 8GB
> of DVD files into a deeply nested folder in a backup
> directory, for sharing I presume. The payload folder was NOT
> within the available folders given access to FTP users.
> Someone was able to "see" the entire D drive and figure out a
> hidden enough location at their whimsy.
<snip>

Tip? Use Apache on *NIX ;)

Seriously though, you will need to remove those folders manually. Some will
likely have names like COM and LPT1 which *NIX is fine with but windoze
chokes on. Attached is the description how to (only 3k so am attaching to
everyone).

As for how they did it, you are running some of the biggest problems MS has
including IIS, SQL Server, and ASP.NET, any one of which could be
exploitable. You cannot rely on windowsupdate to tell you your patched. It
often lies because it only looks at the registry which is updated prior to
the actual update completing (can you say dumb?). You must run multiple
tests like MBSA to verify.

In addition there are possibly 3rd part programs loaded that need patching.
The only time my windoze server got hacked was when a cracker exploited a
vuln in Matt's formmail perl script we were using.

Also, I would look at the times of file install to determine whether it was
internal or external. If times are too close for your Internet line to
accommodate, it means you have an insider to contend with once you clean up
your act. If that is the case, you may want to take the box offline by
pulling the plug (that leaves everything in virtual memory intact for
forensic analysis) and determine who needs to be fired.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

• text/plain attachment: deleting_hacked_dirs.txt

• Previous message: Francesco: "IIS web server hacked..any tips?"
• In reply to: Francesco: "IIS web server hacked..any tips?"
• Next in thread: xyberpix: "Re: IIS web server hacked..any tips?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]