Re: IIS Hack : Anyone explain cause...
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: Thu, 22 Jul 2004 10:58:40 +1000
Could be anything...
a) maybe they exploited a vulnerability
b) maybe you have FPSE, or WebDAV, or FTP, or whatever enabled, and they
just guessed a username/password
c) maybe you have some other kind of backdoor already on the machine (eg
from a previous worm, viruses or exploit), and they just used that
You really need to look through whatever logs you have, and determine:
- whether you can rely on them (do they look like they were tampered
- do some forensic examination of the machine to work out what possible
entry points there are
- look through relevant logs to see what activity there was on the entry
"Team Macromedia" <email@example.com> wrote in message
> Hey All,
> We recently had one of our IIS servers hacked (not mission critical
> server, so we were not too bothered) in which one of the sites default
> document was either hacked or replaced with a file stating the following
> : "SORRY ADMIN SPYKIDS OWNZ YOUR WINDOWS f*** you USA irc.brasnet.org
> //j #SPY by guns_1 firstname.lastname@example.org".
> From a Google search it seems that this guy/unit has peformed hacks
> like these on other sites but I was wondering what and how it was
> possible.... more of an explanation how it was done and what we could do
> to preven it (patching is obvioulsy a solution but actual cuase of the
> hack is what I am after) I did an audit of the machine and noticed that
> all that was changed was the default.htm content (or it could have been
> replaced) and the default.htm was the first in the list of Documents -
> which it wasnt before...
> NOTE: We were missing the following patches (not now!) :
> I can't see from the list above what if any of these patches would
> prevent such an attack to the sites? I also noticed that for some ISAPI
> we had (all) in the verbs list which has now been corrected. URL Scan
> and IIS Lockdown have not been run on the machine in question but the
> majority of the standard security checklists have been applied such as
> .htr and parent paths have been applied...
> Anyone know how or why a hack like this was possible?