RE: IIS web server hacked..any tips?

• Previous message: Ganbold: "Strange command histories in hacked shell server"
• Maybe in reply to: Francesco: "IIS web server hacked..any tips?"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
• Reply: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 16 Dec 2004 17:47:51 -0800
To: <Valdis.Kletnieks@vt.edu>, <cta@hcsin.net>

If you have a lot of knowledge, and some time on your hands, it is
possible to boot a Windows system (boot.ini flag) such that it can be
debugged across a serial cable. This may be an interesting thing from a
honeypot POV.

So you'd set the switch, boot the system, wait until you want to
snapshot it, and then use the debugger to look at anything in memory you
like. Windbg will do this, and I think SoftIce does, too. The owned
system is defenseless against an external kernel debugger.

BTW, in response to the original mail, if I were reasonably sure the
system was up to date on patches (and there hasn't been an IIS 6.0 issue
in a while, so this is likely), then I would start looking at other
things. For example, is NetBT bound to the external interface? If so,
how strong (really) are the passwords? Feed the password hashes to a
cracker, and see. If you think that one is tampered with (fair bet), try
one of the ones built by the same people.

Next, look at the web app - did someone do something like put SQL
injection in an app running as sa? What entry points were really
available to the attackers? What if they managed to get behind the
firewall?

Hope this helps...

-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]

[snip]

(If you're *really* tech-savvy, and the suspect machine has an ieee1394
port, you can have your cake and eat it too - use a "field-modified"
iPod to collect the evidence nice and fast without the hacker's
knowledge, and THEN pull the plug and proceed with the forensics. ;)

• Previous message: Ganbold: "Strange command histories in hacked shell server"
• Maybe in reply to: Francesco: "IIS web server hacked..any tips?"
• Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
• Reply: Valdis.Kletnieks_at_vt.edu: "Re: IIS web server hacked..any tips?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: .kdfiles with boot start drivers on Vista ... I'm not 100% convinced that the mechanism provided for boot start ... BD: Boot Debugger Initialized ... Connected to Windows Boot Debugger 6000 x86 compatible target, ... I have seen several veteran driver devs ask this same ... (microsoft.public.development.device.drivers) Re: function pointers ... I installed debian. ... To boot, I start with a menu of the "grub" booting utility. ... a desktop screen saver program. ... There is only one debugger: ... (comp.lang.c) Re: Connectivity problem with PB 5.0 ... why it doesn't boot when uploaded from PB ... ... you still have upload image from PB using the ... have a serial cable attached to the serial port ... Debugger service map is set to none. ... (microsoft.public.windowsce.platbuilder) Re: function pointers ... To boot, I start with a menu of the "grub" booting utility. ... The Desktop shows some icons ... a desktop screen saver program. ... There is only one debugger: ... (comp.lang.c)