Re: IIS web server hacked..any tips?

From: xyberpix (xyberpix_at_xyberpix.com)
Date: 12/15/04

  • Next message: Sam Evans: "Re: IIS web server hacked..any tips?" 
    To: Francesco <francesco@blackcoil.com>
Date: Wed, 15 Dec 2004 19:22:34 +0000

    Hi Francesco,

    Firstly I would get the server off the network, litterally pull the plug
    on the network cable. Then dig through logs, etc, and try and find out
    how they got in, hopefully you had really good logging set up on this
    machine, so you should be able to get a fair idea of how they got in.
    I would personally say that I re-install is your best way around this,
    as you have no idea how many backdoors have been installed on your
    server, or what else for that matter.
    I hope that the DVD's were at least one's that you hadn't seen?

    xyberpix

    On Wed, 2004-12-15 at 08:23 -0800, Francesco wrote:
    > I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
    > and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is
    > additionally protected by authentication.
    >
    > Yesterday someone managed to access the server and dump 8GB of DVD files
    > into a deeply nested folder in a backup directory, for sharing I
    > presume. The payload folder was NOT within the available folders given
    > access to FTP users. Someone was able to "see" the entire D drive and
    > figure out a hidden enough location at their whimsy.
    >
    > I thought the server was fairly well locked down, but apparently not.
    > What is the usual method of intrusion for "warez" attacks like these?
    >
    > Francesco 

    -- 
For Security and Open Source news and tips visit:
http://www.xyberpix.com

  • Next message: Sam Evans: "Re: IIS web server hacked..any tips?"

    Relevant Pages

    • Re: Need help urgently please!
      ... I'll create a back-up folder for the Queue and copy ... The backup was done around 2AM and the server crashed at 1:30PM. ... a significant amount of mail will be lost if we can't recover the logs. ... there is a significant amount of mail in the queue that arrived at our ...
      (microsoft.public.exchange2000.admin)
    • Re: Need help urgently please!
      ... I'll create a back-up folder for the Queue and copy ... The backup was done around 2AM and the server crashed at 1:30PM. ... a significant amount of mail will be lost if we can't recover the logs. ... there is a significant amount of mail in the queue that arrived at our ...
      (microsoft.public.exchange2000.admin)
    • Re: Need help urgently please!
      ... I'll create a back-up folder for the Queue and copy ... The backup was done around 2AM and the server crashed at 1:30PM. ... a significant amount of mail will be lost if we can't recover the logs. ... there is a significant amount of mail in the queue that arrived at our ...
      (microsoft.public.exchange2000.admin)
    • Re: my iis has been hacked :-(
      ... One step is removing the folder. ... FTP services enabled and the anonymous user ... hidden FTP server like Serv-U FTP. ... In one of the subdirectories i found 2 subdirectories, ...
      (microsoft.public.inetserver.iis.security)
    • Re: Connecting to ftp with File Browser
      ... I selected "ftp with login" as type of connection. ... I'm being hosted on a Windows server, ... In my ftp client the folder structure is as follows. ... In file browser all that loads is the root folder shown above and the ...
      (Ubuntu)
    • Quantcast