Re: Open Ports....How to block them all....?

From: Curt_C [MVP] (Software_AT_Darkfalz.com)
Date: 11/19/02 

From: "Curt_C [MVP]" <Software_AT_Darkfalz.com>
Date: Tue, 19 Nov 2002 11:40:13 -0600

Thanks.... that should hopefully get me started :} 

--
----------------------------------------------------------
Curt Christianson (Software_AT_Darkfalz.Com)
Owner/Lead Designer, DF-Software
http://www.Darkfalz.com
---------------------------------------------------------
..Offering free scripts & code snippits for everyone...
---------------------------------------------------------
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:unrwt8#jCHA.3576@tkmsftngp08...
>
> "Curt_C [MVP]" <Software_AT_Darkfalz.com> wrote in message
> news:#IgLW29jCHA.1652@tkmsftngp11...
> > Ok, here's the situation. Win2k Server running IIS, AD, Exch2000,
SQL2000
> >
> > I keep it up to date with SP's and Patches but find that the server
keeps
> > getting hacked and used as an "FTP" server with that stupid "Serv-U"
app.
> > What can be done to secure this server so that this doesn't keep
> happening?
> > Is port blocking (leaving only bare necessity open) my only recourse? If
> so,
> > how?
> >
> > I'm a developer, and know only basic fundamentals of OS/IIS
security.....
> >
> > Thanks
> >
> > (P.S... I keep manually killing the app that gets installed and manually
> > deleting the files/app/dirs that the hack creates.)
>
> This is pretty common.  Frequently this happens through an IIS
> vulnerability.  If this is the case, check your IIS logs for anything
> mentioning .EXE or % and that also has a code 200 or 502 in that line.
This
> may show you exactly what is happening.  More information:
> http://securityadmin.info/faq.htm#iislogs2
> http://securityadmin.info/faq.htm#iislogs
>
> Once your server has been hacked, you may want to consider formatting and
> reinstalling Windows and everything else.  You can choose not to do this,
> however you are risking leaving other back doors on your system that might
> allow future compromise.  Installing Serv-U software typically involves a
> person having the ability to remotely run commands and install files on
your
> system, which is pretty serious.  They could have dumped your SAM file and
> gotten all your local passwords, for example, using this method.  Be sure
to
> do forensic investigation first to try to determine how this happened, so
> that you can prevent it from happening next time and try to confirm that
> other computers were not also compromised.
>
> Tools to detect hacking include Vision which is free from
> www.foundstone.com/knowledge,
> a firewall such as www.sygate.com which is free, antivirus with the latest
> updates such as the free www.grisoft.com, anti-trojan software such as
> www.pestpatrol.com, a file change checker such as the free one from
> www.gfi.com, Startup Cop downloaded from www.download.com or
www.google.com,
> etc.
>
> More information on how to use these tools to detect hacking is detailed
at:
> http://securityadmin.info/faq.htm#hacked
>
> Ways to secure your system are detailed at:
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden   <-- most important
> http://securityadmin.info/faq.htm#firewall
> http://securityadmin.info/faq.htm#virus
>
> Specifically, I would try running the MBSA which is free from
> www.microsoft.com/download, be sure you have installed IISLockdown
including
> URLScan which I am guessing probably would have prevented this attack, and
> follow one or more hardening checklists on how to secure both IIS and
> Windows.  It also sounds like you could use antivirus like www.grisoft.com
> [free], anti trojan software like www.pestpatrol.com, and one or more
> software or hardware firewall solutions, such as www.sygate.com [which is
> free for non-commercial use].
>
> Remember that security is not just patches but also proper configuration
and
> third party hardening tools.  A system with all the patches can still be
> easily hacked if you didn't also make changes to the IIS configuration,
> disable unnecessary services, etc.  This is all stuff I would do LAST,
after
> discovering the vulnerability and intrusion method and securing the system
> in whatever way you choose.
>
>
>

Relevant Pages

  • Re: IIS Hack : Anyone explain cause...
    ... it looks like you cleaned up the server -- if you care about security, ... Microsoft tries and mostly succeeds to release patches PRIOR to ... weeks/months/years prior to exploitation. ... > protected rant as we all know that IIS and indeed lots of software has ...
    (microsoft.public.inetserver.iis)
  • Re: Security of IIS - Secure Intranet web site on SBS2003 box
    ... I guess a lot of those patches would be required anyway to ensure the HTTPS ... Because if IIS via HTTPS only is still not considered secure then surely the ... > to rebuild their server and return everything to normal. ...
    (microsoft.public.windows.server.sbs)
  • Re: Open Ports....How to block them all....?
    ... > I keep it up to date with SP's and Patches but find that the server keeps ... Frequently this happens through an IIS ... Ways to secure your system are detailed at: ...
    (microsoft.public.inetserver.iis.security)
  • Re: Dear Microsoft... Rebooting servers id NOT security..
    ... > whole idea of installing patches in the first place. ... > I operate a server for a small company, run the updates, etc. ... > very knowledgable about computers & most Windows versions in general. ...
    (microsoft.public.windows.server.security)
  • Re: Open ports?
    ... Initially, Win2k-Server was installed without IIS and SP2 installed, active ... This server isn't going to be as secure as possible. ... > Microsoft recommends not installing OWA on the same server that is running ... > You may want to consider using two firewalls or a firewall with three NICs ...
    (microsoft.public.win2000.security)