Re: IIS Hack : Anyone explain cause...

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 07/22/04


Date: Thu, 22 Jul 2004 10:58:40 +1000

Could be anything...

a) maybe they exploited a vulnerability
    -or-
b) maybe you have FPSE, or WebDAV, or FTP, or whatever enabled, and they
just guessed a username/password
    -or-
c) maybe you have some other kind of backdoor already on the machine (eg
from a previous worm, viruses or exploit), and they just used that

You really need to look through whatever logs you have, and determine:
    - whether you can rely on them (do they look like they were tampered
with)
    - do some forensic examination of the machine to work out what possible
entry points there are
    - look through relevant logs to see what activity there was on the entry
points

Cheers
Ken

"Team Macromedia" <nospam@nospam.com> wrote in message
news:OQIp6C1bEHA.904@TK2MSFTNGP09.phx.gbl...
> Hey All,
>
> We recently had one of our IIS servers hacked (not mission critical
> server, so we were not too bothered) in which one of the sites default
> document was either hacked or replaced with a file stating the following
> : "SORRY ADMIN SPYKIDS OWNZ YOUR WINDOWS f*** you USA irc.brasnet.org
> //j #SPY by guns_1 guns_1@linuxmail.org".
>
> From a Google search it seems that this guy/unit has peformed hacks
> like these on other sites but I was wondering what and how it was
> possible.... more of an explanation how it was done and what we could do
> to preven it (patching is obvioulsy a solution but actual cuase of the
> hack is what I am after) I did an audit of the machine and noticed that
> all that was changed was the default.htm content (or it could have been
> replaced) and the default.htm was the first in the list of Documents -
> which it wasnt before...
>
> NOTE: We were missing the following patches (not now!) :
>
> KB823353
> KB831167
> KB870669
> KB840315
> KB842526
> KB841873
> KB841872
> KB839643
> KB839645
> KB837001
> KB832483
>
> I can't see from the list above what if any of these patches would
> prevent such an attack to the sites? I also noticed that for some ISAPI
> we had (all) in the verbs list which has now been corrected. URL Scan
> and IIS Lockdown have not been run on the machine in question but the
> majority of the standard security checklists have been applied such as
> .htr and parent paths have been applied...
>
> Anyone know how or why a hack like this was possible?
>
> Thanks



Relevant Pages

  • Re: Decipher folder id in event 1029
    ... I'm pretty sure that a CDO programmer or hack could write code to ... determine what folder corresponds to that entry ID, ...
    (microsoft.public.exchange.admin)
  • Re: Why cant I write to my Hard disk as a user?
    ... Hack the /etc/fstab file. ... I found the entry for the windows partition and ... copied it over to the corresponding entry for the problematic drive. ... restarting the system all went well. ...
    (alt.os.linux.suse)
  • Re: Why cant I write to my Hard disk as a user?
    ... Hack the /etc/fstab file. ... I found the entry for the windows partition and ... copied it over to the corresponding entry for the problematic drive. ... restarting the system all went well. ...
    (alt.os.linux)