Re: New exploit?
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 05/31/04
- Next message: Roger Abell [MVP]: "Re: IIS Seperate Partition?"
- Previous message: cjobes: "Re: SSL on IIS6"
- In reply to: RussKie: "New exploit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 31 May 2004 07:19:18 -0700
"RussKie" <google@gamestah.com> wrote in message
news:af2f2d74.0405310146.273f5206@posting.google.com...
> Recently one of my IIS boxes got rooted - all active sites were
> defaced and more importantly the hackers managed to get access to some
> databases which reside above website's roots (eg: website root is at
> c:\web\html, and the db resides in c:\web\data).
>
> In the logs the following info:
> cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
> cs-bytes time-taken
> GET /database.mdb - 200 64 2679028 425 248891
> GET /Default.htm - 200 0 360 362 0
> GET /database.mdb - 206 0 4827107 484 530766
>
> None of the above files existed then they suddenly appear there.
>
> Win2k SP4, IIS5, urlscan is installed, directoy browsing is turned
> off, no write permissions to the directories... Some sites have ssl
> on.
>
> Anyone can shed some light what might have happened?
Well, you did say W2k Sp4 but you said nothing about how
current on post Sp4 patching.
That is the first idea.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4
- Next message: Roger Abell [MVP]: "Re: IIS Seperate Partition?"
- Previous message: cjobes: "Re: SSL on IIS6"
- In reply to: RussKie: "New exploit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
