Re: IIS web server hacked..any tips?

From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 12/15/04

  • Next message: Roger McLaren: "Re: IIS web server hacked..any tips?" 
    To: incidents@securityfocus.com
Date: Wed, 15 Dec 2004 19:59:45 +0000

    On Wed, 2004-12-15 at 08:23 -0800, Francesco wrote:
    > I thought the server was fairly well locked down, but apparently not.
    > What is the usual method of intrusion for "warez" attacks like these?

    Hi Francesco with "warez kiddies" the usual attack vector is a known
    exploit that is unpatched in your systems, if an intruder of this type
    has hacked you it's doubtful that your system was as locked down as you
    think it was.

    However if it was a locked down windows server you should have auditing
    configured and remotely stored so you should be able to see how and when
    the files and folders in question were accessed.
    I suggest using that as the basis for any analysis, also any intrusion
    detection system on the network should have information on the attack as
    if this was a known exploit the NIDS would have a signature for it
    (hopefully).

    Other than that it's time for a reinstall if you ever want to consider
    this box "locked down" again, there are many methods for cleaning a box
    however nothing is as good as a reinstall.

    What's your focus from this point onwards are you interested in capture
    and prosecution or having a clean box?
    If you give us this information we can advise on how to proceed more
    concisely.

    Best of luck.

    With Regards..
    Barrie Dempster (zeedo) - Fortiter et Strenue

      http://www.bsrf.org.uk

    [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

  • Next message: Roger McLaren: "Re: IIS web server hacked..any tips?"

    Relevant Pages