Re: IIS on 443 replaced by serv-u
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 05/16/04
- Previous message: Roger Abell: "Re: IIS user getting locked out"
- In reply to: Eddie Bowers [MSFT]: "RE: IIS on 443 replaced by serv-u"
- Next in thread: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 15 May 2004 19:12:08 -0400
"Eddie Bowers [MSFT]" <eddieb@online.microsoft.com> wrote in message
news:8ULO6KfOEHA.3800@cpmsftngxa10.phx.gbl...
> It sounds like your system was compromised before installing the patch.
> Since this is a test machine, you should really take the safe route and
> rebuild.
> Serv-u ftp may only be one of many backdoors placed on your system.
I agree. "It was just a test system" and "there's nothing of interest to a
hacker on this system" are not valid assuptions. Even test systems should
be fully secured before putting them on the network, or you risk legal
liability, abused hard drive space and Internet bandwidth, etc.
Here are some links that may help you:
http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
Note that patches are only one thing needed to make a system safe.
Installing IISLockdown with URLScan free from
www.microsoft.com/technet/security could have prevented this, if this was an
attack through the IIS WWW service. If this was a buffer overflow, you
might see evidence of a service halting or restarting in the Windows system
event log, although theoretically a hacker could delete entries from the
logs on a compromised server. Note that buffer overflow attacks on the IIS
WWW service often don't appear in the IIS www logs, as the overflow occurs
before the logging occurs.
If you really wanted to find the hidden Serv-U files or other hidden files,
registry values and services, they may be hidden by a Windows root kit, in
which case you can't see them through the local GUI console. You can see
them by using Explorer or an anti-virus scanner across the network, through
a Windows file share... or by booting to another OS, such as slaving the
hard drive in another Windows computer. However, since this is a test
system, it is more reliable to use this information to help you secure your
next system, instead of trying to manually remove what you find without
formatting and re-installing.
- Previous message: Roger Abell: "Re: IIS user getting locked out"
- In reply to: Eddie Bowers [MSFT]: "RE: IIS on 443 replaced by serv-u"
- Next in thread: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
