Re: IIS web server hacked..any tips?

cta_at_hcsin.net
Date: 12/16/04

  • Next message: Adrian Marsden: "RE: IIS web server hacked..any tips?" 
    To: incidents@securityfocus.com
Date: Wed, 15 Dec 2004 19:44:34 -0500

    On 15 Dec 2004 at 8:23, Francesco wrote:

    > I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
    > and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is
    > additionally protected by authentication.
    >
    > Yesterday someone managed to access the server and dump 8GB of DVD files
    > into a deeply nested folder in a backup directory, for sharing I
    > presume. The payload folder was NOT within the available folders given
    > access to FTP users. Someone was able to "see" the entire D drive and
    > figure out a hidden enough location at their whimsy.
    >
    > I thought the server was fairly well locked down, but apparently not.
    > What is the usual method of intrusion for "warez" attacks like these?
    >
    > Francesco
    >
    <<<
    Just to add some sage advice… if you really want to ensure that the
    contents of a suspected compromised machine's virtual memory, as well as
    its hard drive are intact then I would NOT "pull the plug" i.e.,
    disconnect from network. An attacker with half a brain can easily load a
    watchdog program that automatically erases memory, files reconfigures
    wini, and puts the machine back into a unsuspicious state if it detects
    that the it has lost its network connection, or someone has executed the
    shutdown cmd. In other words cover ones tracks. For non-critical cases
    (that is were the risk to confidentiality, integrity and availability of
    the data contained in the hard drive is acceptable), the first thing I
    would do in this scenario is to quietly connect a snoop machine (laptop)
    to the LAN segment and start sniffing for packets. If no traffic is coming
    from the suspect machine, then try getting in the front door, but keep an
    eye on the back door for egress packets. In some cases I have been able to
    track packets (honey I'm home!, or here the data you wanted!) back to the
    attackers collection nest.

    - 

    --
****************************************************
Bernie / cta@hcsin.net
Chief Technology Architect / Chief Security Officer
Euclidean Systems
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************
  • Next message: Adrian Marsden: "RE: IIS web server hacked..any tips?"
    • Quantcast