Re: defacement

From: x y (jamescagney90210@excite.com)
Date: 05/17/02 

From: "x y" <jamescagney90210@excite.com>
Date: Fri, 17 May 2002 17:21:29 -0400

Well, it sounds like IIS is serving up a page that has been put there by the
hacker. There's insufficient information to tell the entry point, but IIS
is a very likely entry point, especially if you did not install all the
latest microsoft security patches.

The book Incident Response is a very good introduction to dealing with
events like this. If you have any hope of being able to identify and
prosecute the person, you want to involve the authorities and/or a
professional. If you want to be 100% sure that you are secure against
hacking again, you should format and reinstall Windows, and secure the
server fully before putting the server on the internet again. This includes
installing all recent microsoft security patches, follow the instructions at
www.microsoft.com/security, install microsoft IISlockdown including URLscan,
an antivirus scanner like norton that downloads updates every day,
www.gfi.com languard file integrity checker [free, checks files that have
changed every day to discover possible hacking], www.mynetwatchman.com
[free, reports hacking attempts to the hacker's ISP], etc. etc. But first,
you should determine the way the box was hacked to determine if other
servers on your network were also compromised.

To determine what happened, look in your windows event log security log, and
more importantly the iis logs, if you are logging iis. Any line that
mentions .EXE or % and hasa 200 or 502 error code in it is suspicious.
Also identify the names of the defaced files [.HTML, .ASP, gif, etc] and
look in the IIS logs for anywhere that might mention these file names. Run
fport from www.foundstone.com to see if there are any unusual programs
running. Run pstools / psloggedon from www.sysinternals.com to see if
anyone is logged in at the moment... pslist, process explorer, regmon and
filemon are other interesting utilities from this web site. WARNING: doing
these things yourself corrupts the evidence and reduces your chances of
successful prosecution.

The reason why a format and reinstall is recommended is that the hacker may
have installed a sniffer or keystroke logger or other back door that you may
miss.

A very common scenario for web defacement is the hacker sends a special URL
to your web server that takes advantage of an unpatched web server
vulnerability and allows a local DOS command to be run on your web server.
The hacker uses these URLs to do one of many things, such as running the
TFTP command to download files from an FTP server under their control to
your web server.

If you find anything interesting out, have any luck or any questions about
your logs or the results of FPORT, post them here. Consider contacting the
authorities if you wish as well.

"Mostro Di Biscottos" <oveloz@nospamglasfloss.com> wrote in message
news:5EDBE0A484189920.0B10F6DDC7B6E808.A17A6FA3921C031B@lp.airnews.net...
> I'm not sure that defacement is the correct term, but anyhow. Here goes.
I
> come in this morning and I'm made aware that when you type in the follwong
> in a internet browser's address box http://owa.mydomain.com you are taken
to
> an obscene html page. So then, in the browser, I type in my exchange
> servers IP address and I'm taken to the same page. I then have a friend
> that is not in my network tracert my exchange server, and it comes through
> my firewall directly to my exchange server. I will thus assume that my
> exchange box has been hacked. Now, how do I fix this? Was it OWA that
has
> been hacked, or the IIS server that is installed my exchange server?
>
>
>
>

Quantcast