Re: IIS web server hacked..any tips?
From: K.M. Jeary (kmj1000_at_ucs.cam.ac.uk)
Date: 12/16/04
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
- In reply to: Francesco: "IIS web server hacked..any tips?"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Dec 2004 19:23:11 +0000 (GMT) To: Francesco <francesco@blackcoil.com>
You don't say which, if any, executables you found - or had this all been
wiped before you got there? This normally gives some clue to type of
entry (exploiting tftp is one common line of attack). I'd also look for
doctored logs (earlier logs should give you pre-existing patterns of
access to ftp/IIS). The length is of certain files (or lack of it is
often a clue) - this can tell you what period(s) the group wanted to
disguise. Unless of course they've used clearlog.exe and deleted the
whole affair...
You can't necessarily rely on dates of course - executables like
setdatetime.exe (sets the date of a file back five calendar years) are
often part of an oridnary roorkit. However (and of course doing
this destroys part of your evidence) looking at .exe files 'last
accessed' in rhe system32 directory can be quite illuminating. [It's
fairly easy to sort out those which are normally used by the system etc.]
The other point I'd make is you shouldn't necessarily make the mistake
of assuming that your server was compromised _recently_. it could
have been so for several weeks or months - and the group involved only
came back to it when it rose to the top of the compromosed hosts list.
As earlier replies have suggested, you could actually have one or
more than one zombie PC in your organization - the original compromise
does not necessarily have to have been from an external machine.
Internet: K.M.Jeary@ucs.cam.ac.uk University Computing Service,
NT-Support: NT-Support@ucs.cam.ac.uk Pembroke Street
Telephone: +44 (0)1223-335632 Cambridge CB2 3QH, England.
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
- In reply to: Francesco: "IIS web server hacked..any tips?"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
