Re: w2k server security
From: karl [x y] (jamescagney90210@excite.com)
Date: 08/30/02
- Next message: Eric Chamberlain: "Re: Can I Use basic or integrated authentication agains an external Kerberos KDC?"
- Previous message: karl [x y]: "Re: Hacker Alert"
- In reply to: anon: "w2k server security"
- Next in thread: Paul Lynch: "Re: w2k server security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Thu, 29 Aug 2002 21:17:21 -0400
"anon" <anon@anonymous.com> wrote in message
news:8de701c24f8d$21fe4450$2ae2c90a@phx.gbl...
> Someone recently broke into one of our w2k web servers and
> changed the wallpaper. There are several sites being
> hosted on the machine but they are on a seperate drive.
> Any ideas as to how this was done? Thanks
Check your IIS logs [assuming logging is enabled]. I bet the commands they
used are all right there. Checking your router or firewall logs might be
helpful as well, and running fport from foundstone.com on the troubled
machine.
Running a firewall and installing security patches are only part of a
complete
security plan. Proper
configuration and third party software such as antivirus like Norton that is
set to download updates every single day are some of the other things you
really need to be sure you've done.
Download and run HFNETCHK from www.microsoft.com/security to see what
critical patches if any you are missing, apply the security checklists for
Windows and IIS from the same location, and download and run a virus scan to
see if you do indeed have a virus. This message makes me suspect the
"virus" could be Code Red and/or Nimda. If you have IIS web services
running on your computer, check your IIS web logs, you might be able to see
exactly how this was done.
You might also find the following tools useful: fport from
www.foundstone.com, pstools from www.sysinternals.com , trojan scanners such
as www.pestpatrol.com or www.sunbelt-software.com, a file change checker
such as the free Languard File Integrity Checker from www.gfi.com and the
books Hacking Exposed 3rd edition and/or Incident Response.
Note however that once you've had an intrusion, the only way to be 100%
certain that you've removed any and all back doors that a hacker might have
installed on your system is to format and reinstall everything including
security settings and patches and checklists from www.microsoft.com/security
before putting it on the internet again. [But
be sure to try to determine how you were hacked before formatting.]
Patching the holes that let the intruder in does not necessarily block the
other holes the intruder may have added afterwards.
- Next message: Eric Chamberlain: "Re: Can I Use basic or integrated authentication agains an external Kerberos KDC?"
- Previous message: karl [x y]: "Re: Hacker Alert"
- In reply to: anon: "w2k server security"
- Next in thread: Paul Lynch: "Re: w2k server security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
