Re: IIS Hack : Anyone explain cause...

From: Ken Schaefer (
Date: 07/22/04

Date: Thu, 22 Jul 2004 10:58:40 +1000

Could be anything...

a) maybe they exploited a vulnerability
b) maybe you have FPSE, or WebDAV, or FTP, or whatever enabled, and they
just guessed a username/password
c) maybe you have some other kind of backdoor already on the machine (eg
from a previous worm, viruses or exploit), and they just used that

You really need to look through whatever logs you have, and determine:
    - whether you can rely on them (do they look like they were tampered
    - do some forensic examination of the machine to work out what possible
entry points there are
    - look through relevant logs to see what activity there was on the entry


"Team Macromedia" <> wrote in message
> Hey All,
> We recently had one of our IIS servers hacked (not mission critical
> server, so we were not too bothered) in which one of the sites default
> document was either hacked or replaced with a file stating the following
> //j #SPY by guns_1".
> From a Google search it seems that this guy/unit has peformed hacks
> like these on other sites but I was wondering what and how it was
> possible.... more of an explanation how it was done and what we could do
> to preven it (patching is obvioulsy a solution but actual cuase of the
> hack is what I am after) I did an audit of the machine and noticed that
> all that was changed was the default.htm content (or it could have been
> replaced) and the default.htm was the first in the list of Documents -
> which it wasnt before...
> NOTE: We were missing the following patches (not now!) :
> KB823353
> KB831167
> KB870669
> KB840315
> KB842526
> KB841873
> KB841872
> KB839643
> KB839645
> KB837001
> KB832483
> I can't see from the list above what if any of these patches would
> prevent such an attack to the sites? I also noticed that for some ISAPI
> we had (all) in the verbs list which has now been corrected. URL Scan
> and IIS Lockdown have not been run on the machine in question but the
> majority of the standard security checklists have been applied such as
> .htr and parent paths have been applied...
> Anyone know how or why a hack like this was possible?
> Thanks