Re: IIS web server hacked..any tips?
From: Sam Evans (wintrmte_at_gmail.com)
Date: Wed, 15 Dec 2004 12:34:09 -0700 To: Francesco <email@example.com>
Could the individual have used a privileged account which would have
allowed them to drop the files in the location you found them in?
Brute forcing accounts through FTP is fairly non evasive (if you have
security event logging disabled / nothing moitoring it and no lockout
Out of curiosity, what is/was the owner set to on the files you found?
That should be a good clue as to how they got there.
On Wed, 15 Dec 2004 08:23:40 -0800, Francesco <firstname.lastname@example.org> wrote:
> I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
> and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is
> additionally protected by authentication.
> Yesterday someone managed to access the server and dump 8GB of DVD files
> into a deeply nested folder in a backup directory, for sharing I
> presume. The payload folder was NOT within the available folders given
> access to FTP users. Someone was able to "see" the entire D drive and
> figure out a hidden enough location at their whimsy.
> I thought the server was fairly well locked down, but apparently not.
> What is the usual method of intrusion for "warez" attacks like these?