RE: IIS web server hacked..any tips?
From: Adrian Marsden (amarsden_at_jvsdet.org)
Date: 12/16/04
- Previous message: cta_at_hcsin.net: "Re: IIS web server hacked..any tips?"
- Maybe in reply to: Francesco: "IIS web server hacked..any tips?"
- Next in thread: Richard.Grant_at_ky.gov: "RE: IIS web server hacked..any tips?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Dec 2004 07:44:46 -0500 To: "Roger McLaren" <RMcLaren@vcss.k12.ca.us>, <francesco@blackcoil.com>, <incidents@securityfocus.com>
Might I also suggest that since, to date, you do not know the attack vector and may not know it in the future if you are not sufficiently logging etc. that once the box is ready to come back up you turn on all logging to a remote and secure machine and implement or update IDS. I might even go as far as suggesting that you place a packet dump, (Ethereal), on a remote box to capture all traffic to and from the previously compromised machine.
If you dont't and you haven't ascertained and mitigated the attack vector you'll be back next week with the same problem.....
-----Original Message-----
From: Roger McLaren [mailto:RMcLaren@vcss.k12.ca.us]
Sent: Wed 12/15/2004 4:32 PM
To: francesco@blackcoil.com; incidents@securityfocus.com
Cc:
Subject: Re: IIS web server hacked..any tips?
Francesco,
Any of the software you listed could be used to gain access to your
server. Even the MailEnable software has had remotely exploitable
buffer overflows. You did not mention software versions, or if the
server was firewalled. If there is no firewall it could be a simple
password guessing attack. The compromise of a windows account with admin
rights or a SQL account with sufficient privilege would do it.
If you have enabled auditing go over the logs carefully to look for any
clues. Then wipe the machine and re-build it (or restore from a known
clean backup) and make sure you change ALL the passwords - you never
know what they did while they were there.
Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools
>>> "Francesco" <francesco@blackcoil.com> 12/15/2004 8:23:40 AM >>>
I have a Windows 2003 Server running IIS 6, SQL Server 2000,
MailEnable,
and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP
is
additionally protected by authentication.
Yesterday someone managed to access the server and dump 8GB of DVD
files
into a deeply nested folder in a backup directory, for sharing I
presume. The payload folder was NOT within the available folders
given
access to FTP users. Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.
I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?
Francesco
- Previous message: cta_at_hcsin.net: "Re: IIS web server hacked..any tips?"
- Maybe in reply to: Francesco: "IIS web server hacked..any tips?"
- Next in thread: Richard.Grant_at_ky.gov: "RE: IIS web server hacked..any tips?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
