Re: IIS Vulnerability
From: x y (jamescagney90210@excite.com)
Date: 06/21/02
- Next message: Eric Pearson: "ASP, reassigning entire session"
- Previous message: Emmanuel Adebayo: "IIS Vulnerability"
- In reply to: Emmanuel Adebayo: "IIS Vulnerability"
- Next in thread: Jeff Cochran: "Re: IIS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Fri, 21 Jun 2002 08:52:24 -0400
Check your IIS web server logs to try to confirm that you have not been
hacked already. Search your log files for any entries containing % or .EXE
and that also contain a 200 or 502 error code. [These lines are not
necessarily successful hacks but warrant further investigation.] For small
sites with not much traffic I recommend setting your web logs in the IIS MMC
to create a new log only once a month instead of the default once a day,
makes it easier to search for intrusion. Also, search your computer for
files that have changed in the past day to 3 days as some of those files
could be evidence of hacking. installing languard file integrity checker
from www.gfi.com [free] can also help detect and alert you to suspicious
changes in files. Also, download and run fport from foundstone.com and/or
pstools from www.sysinternals.com containing pslist and psloggedon. Look
for suspicious files keeping suspicious ports open. Search google or post
here if you have a question about a particular log entry, port or file name
found. Also, use an antivirus program that has the latest updates for the
week installed to scan the hard drives. [Note that doing any of these
things can alert a hacker that you are searching for him and either you or
he can end up tainting the evidence, but unless you are a large company with
huge assets, you probably won't get a conviction anyways, so I say you
should consider going ahead anyways.]
Then, remove all those files found from your server and put them on a floppy
just in case. Note that this may break functionality if you are using, for
example, content searches of your web site or the web-based password reset
tool. Examine the /asp/something.stm file to see what it does and if it is
one of your files, a sample microsoft file or a hacker file, I don't
recognize it off the top of my head. Go through the security checklist at
www.microsoft.com/security for IIS, especially the part about deleting or
moving the sample scripts and the password reset utility folders and other
files.
"Emmanuel Adebayo" <eadebayo@totalise.co.uk> wrote in message
news:uw4AwiRGCHA.2696@tkmsftngp12...
> Dear all
>
> I was checking my IIS server for vulnerability this morning and found this
>
> scripts/tools/details.idc - EXISTS! /iisadmpwd/aexp3.htr - EXISTS!
> /iisadmpwd/anot.htr - EXISTS! /asp/something.stm - EXISTS!
/something.stm -
> EXISTS! /scripts/something.stm - EXISTS! /..\.. - EXISTS! /....../ -
EXISTS!
> /scripts/iisadmin/bdir.htr - EXISTS! /samples/cgi.stm - EXISTS!
> /samples/inline2.stm - EXISTS! /iissamples/issamples/oop/qfullhit.htw -
> EXISTS! /prxdocs/misc/prxrch.idq - EXISTS!
> /iissamples/exair/Search/search.idq - EXISTS!
> /iissamples/exair/Search/query.idq - EXISTS!
> /iissamples/issamples/query.idq - EXISTS!
/iissamples/issamples/fastq.idq -
> EXISTS!
>
> The server is fully patched, IISlockdown and URLSAN were installed
>
> Can anybody help on what to do to remove this vulnerability.
>
> Thanks.
>
> Emmanuel
>
>
>
- Next message: Eric Pearson: "ASP, reassigning entire session"
- Previous message: Emmanuel Adebayo: "IIS Vulnerability"
- In reply to: Emmanuel Adebayo: "IIS Vulnerability"
- Next in thread: Jeff Cochran: "Re: IIS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
