Re: IIS web server hacked..any tips?

From: Roger McLaren (RMcLaren_at_vcss.k12.ca.us)
Date: 12/15/04

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS web server hacked..any tips?" 
    Date: Wed, 15 Dec 2004 13:32:23 -0800
To: <francesco@blackcoil.com>, <incidents@securityfocus.com>

    Francesco,

    Any of the software you listed could be used to gain access to your
    server. Even the MailEnable software has had remotely exploitable
    buffer overflows. You did not mention software versions, or if the
    server was firewalled. If there is no firewall it could be a simple
    password guessing attack. The compromise of a windows account with admin
    rights or a SQL account with sufficient privilege would do it.

    If you have enabled auditing go over the logs carefully to look for any
    clues. Then wipe the machine and re-build it (or restore from a known
    clean backup) and make sure you change ALL the passwords - you never
    know what they did while they were there.

    Roger R. McLaren
    Systems Support Analyst
    Information Technology Services
    Ventura County Superintendent of Schools

    >>> "Francesco" <francesco@blackcoil.com> 12/15/2004 8:23:40 AM >>>
    I have a Windows 2003 Server running IIS 6, SQL Server 2000,
    MailEnable,
    and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP
    is
    additionally protected by authentication.

    Yesterday someone managed to access the server and dump 8GB of DVD
    files
    into a deeply nested folder in a backup directory, for sharing I
    presume. The payload folder was NOT within the available folders
    given
    access to FTP users. Someone was able to "see" the entire D drive and
    figure out a hidden enough location at their whimsy.

    I thought the server was fairly well locked down, but apparently not.
    What is the usual method of intrusion for "warez" attacks like these?

    Francesco

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS web server hacked..any tips?"

    Relevant Pages

    • Re: my iis has been hacked :-(
      ... One step is removing the folder. ... FTP services enabled and the anonymous user ... hidden FTP server like Serv-U FTP. ... In one of the subdirectories i found 2 subdirectories, ...
      (microsoft.public.inetserver.iis.security)
    • Re: Connecting to ftp with File Browser
      ... I selected "ftp with login" as type of connection. ... I'm being hosted on a Windows server, ... In my ftp client the folder structure is as follows. ... In file browser all that loads is the root folder shown above and the ...
      (Ubuntu)
    • Re: Email enable doc lib
      ... navigate to the public folder and send some posts with attachments to the ... Microsoft CSS Online Newsgroup Support ... I have disabled forms base Athentication from the default V.Smtp server ...
      (microsoft.public.windows.server.sbs)
    • FTP Permissions Issues and other issues
      ... One is the public facing FTP server and the other ... is the server where the actual FTP folder is (the public facing server has ... and make directories but only within the root folder. ...
      (microsoft.public.inetserver.iis.ftp)
    • Re: STUPID NAVIGATION BAR!
      ... > folder on the hard drive, edit, select all, right mouse ... > the ftp) and once again - no nav bar/menu down ... I also have MS FP Server Extensions 2002 ... >>Certain features of the navigation bar requires the site ...
      (microsoft.public.frontpage.client)