Re: website defaced

From: Jonathan Maltz [MS-MVP] (jmaltz_at_mvps.org)
Date: 09/04/03

Next message: Phil Frisbie, Jr.: "Re: website defaced"
Previous message: Andy: "IIS 6.0, multiple ssl sites, most wont answer"
In reply to: Chien: "website defaced"
Next in thread: Phil Frisbie, Jr.: "Re: website defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 3 Sep 2003 19:32:01 -0400

What else should you do? Upon defacement I recommended this:

Format and re-install or do a complete restore from backup. Formatting is
better because something may have been planted in your last backup.

Check your AV and firewall.

-- 
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup.  If I see an email I didn't ask for, it will be
deleted without reading.
"Chien" <chien@hongkong.org> wrote in message
news:06f601c37267$b2d41fb0$a101280a@phx.gbl...
What else I can do to secure my www?
My website was defaced.  My www server is Windows 2000
server with IIS 5 service.  SP3 and all critical updates
applied prior to the defaced.  My firewall was checked
out by Cisco technical support, result is fine. Since
then I follow Technote Q218180 and did the following:
Change Administrator password
Change E:\Inetpub security, remove Everyone and add
Administrators
Remove c:\inetpub\iissamples
Remove c:\winnt\help\iishelp
Set ACL remove Everyone group and add Administrators
Run cscript.exe //h:Cscript
HKLM \System\CurrentControlSet\Control\LSA
RestrictAnonymous 2 (default=0)
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
SynAttackProtect 2 (default=0)
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parame
ters AutoShareServer 0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parame
ters RestrictNullSessAccess 1
Here is the defaced html file. Save it and use IE to see
it.
<html>
<head>
<meta http-equiv="Content-Language" content="pt-br">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<title>Vixi a microsoft se supera cada vez mais</title>
</head>
<body text="#FFFFFF" bgcolor="#000000">
<p align="center"><font size="5">Vixi a microsoft se
supera cada vez mais!</font></p>
<p align="center">&nbsp;</p>
<p align="center"><font size="4">Pow um bug desse no
MICROSOFT ISS/5.0</font></p>
<p align="center"><font size="4">Putssss</font></p>
<p align="center">&nbsp;</p>
<p align="center"><font size="4">SÓ PARA AVISAR EU TO DE
VOLTA AO DEFACED</font></p>
<p align="center"><font size="4">EH QUE ESTAVA ME
ESPLECIALIZANDO EM OUTROS
ASSUNTOS</font></p>
<p align="center"><font size="4">MAIS AGORA JA ESTOU DE
VOLTA,E EM BREVE NOVO
SITE SOBRE HACKIG ETC...</font></p>
<p align="center">&nbsp;</p>
<p align="center"><font size="4">QUALQUER COISA FALE
COMIGO NO irc BRSNET #cards
OU&nbsp; NETBRASIL #hackerclub</font></p>
<p align="center"><font size="4">RS.....</font></p>
<p align="center"><font size="4">Q FOI?C FERRO?VEM
RECLAMA COMIGO</font></p>
<p align="center"><font size="4">ICQ: 175321388</font></p>
<p align="center"><font size="4">EMAIL: <a
href="mailto:lucascarding@uol.com.br">
lucascarding@uol.com.br</a></font></p>
<p align="center"><font size="4">UHUHUH TCHAU</font></p>
<p align="center"><font size="4">&quot;O PROXIMO PODE SER
VOCÊ&quot;</font></p>
<p align="center"><font size="4">&nbsp;&nbsp;&nbsp;
</font></p>
<p align="center"><font size="2" color="#C0C0C0"><i>By
lucas__carder ou
Prince_Of_nigth</i></font></p>
<p align="center">defaced por mais um membro do <u><font
size="4">HackerClub</font></u></p>
<p align="center">&nbsp;</p>
<p align="center"><u><font size="6">HAHAHAHA
DEPOIS</font></u></p>
<p align="center"><u><font size="6">SÓ PARA
AVISAS</font></u></p>
<p align="center"><u><font size="6">VOLTEI COM TUDO
POR</font></u></p>
<p align="center"><u><font size="6">ISSO TOME MAIS
CUIDADO COM</font></u></p>
<p align="center"><u><font size="6">A SEGURANÇA
DE</font></u></p>
<p align="center"><u><font size="6">SEUS SITE!
</font></u></p>
<p align="center">&nbsp;</p>
</body>
</html>

Next message: Phil Frisbie, Jr.: "Re: website defaced"
Previous message: Andy: "IIS 6.0, multiple ssl sites, most wont answer"
In reply to: Chien: "website defaced"
Next in thread: Phil Frisbie, Jr.: "Re: website defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: SBS backup Snapin error
... Business Server" is deleted manually from Control Panel -> Scheduled Tasks. ... If you do not want SBS to backup the server, ... Network Service and the user account had different date/international ... as System which had the same date format as the Network Service. ...
(microsoft.public.windows.server.sbs)
[NEWS] Statement on the Announced Defacement Challenge (Zone-H.org)
... Beyond Security in Canada ... The following is Zone-H.org's statement about the announced "defacement ... Once root/admin privileges or web server privileges are achieved, ... all the web server administrators must: ...
(Securiteam)
Re: Windows Server 2008 backup to flash drive
... having a problem trying to backup to a flash drive. ... because everytime I plug in the flash drive, the server asks as if it the ... If I format the flash drive, ...
(microsoft.public.windows.server.general)
RE: SBS Backup Snap In Problem
... SBS Server Management backup snap-in. ... System account which has the same date format as the Network Service. ... Under the lists of Tasks, right click "Back Up Small Business Server" ...
(microsoft.public.windows.server.sbs)
Re: installing xp
... will be installing XP onto. ... Remember to backup all data you need from the hard drive first as it will be ... deleted during the format. ... or replace 2000 server with xp. ...
(microsoft.public.windowsxp.help_and_support)