Re: Find the Guy...

From: Mario Manzano (MarioManzano_at_discussions.microsoft.com)
Date: 08/20/04 

Date: Fri, 20 Aug 2004 10:15:05 -0700

Hi Phillip !

FTP is not running on that machine. Actually, the Admin site is also
stopped. The updates to the page/site aer done internally by replacing the
necessary file(s).

We do have FrontPage Extensions. Wouldn't a change done through it show on
the logs?

I think this was somebody in the company. Would you agree?

Thanks for your input! I really apperciatte it!

Regards,
Mario

"Phillip Windell" wrote:

> Did you leave the FTP Service running on it?,...does it point to the same
> root folder as the site? The same method to hack the site is probably the
> same way that you use make updates to the site yourself. Could have been
> done with an FTP client or WebDAV (FrontPage Extensions) for example.
>
> The Default.htm would have the filedate, this would show you when it
> occured, although if you have now corrected the file that information is
> lost because it will now show the date/time that you corrected it. You could
> have compared that time/date to log entries.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Mario Manzano" <Mario Manzano@discussions.microsoft.com> wrote in message
> news:D507B0C0-796A-49F7-BFF0-0D4EE2536C21@microsoft.com...
> > Hi everyone,
> >
> > Somebody modified our web page the other day and placed some nasty words
> on
> > it. Nothing major really, but obviously management is very upset.
> >
> > The server is running Windows 2000 Server (Terminal) and IIS. It's a
> > somewhat basic setup really.
> >
> > I know that the Default.htm file was modified between 8/6 and 8/9. Also,
> > only the "title" and the "content" was modified. Nothing else.
> >
> > I am trying to rule out an external atack. The issue is I don't know what
> to
> > look for on the logs of the IIS.
> >
> > Please help!
> >
> > Thank you for any tips or direction!
> >
> > Regards!
>
>
>

Relevant Pages

  • Re: Sendmail Hacked
    ... > connection which is weird because I didn't know I had ftp running. ... I checked the ftp logs and they've all been cleared. ... They trace the spam back to you by the ... need sendmail running, or FTP, or telnet. ...
    (comp.os.linux.security)
  • Re: Possible security issue??
    ... It does not work with the local admin account and I'm not seeing any errors ... related to updates in the logs. ... install even though I was able to run updates before joining the domain. ... NOT a domain account? ...
    (microsoft.public.win2000.security)
  • The pkg_add/ftp/fetch pain
    ... Cannot find updates for bzip2-1.0.3 ... Surely, there is a firewall between both hosts, but an ftp transfer is successful! ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Help -- Have I been rooted?
    ... I only allowed ssh, httpd, and ftp port forwarding to my ... machine for the past few days while I used a store bought router. ... I checked the router logs and was greeted by pages of stuff like this: ...
    (comp.os.linux.security)
  • Re: Urgent - Access denied problem
    ... Hi Marina, ... There are a number of errors in the logs and I have tried to ... >> Used SUS to update SBS2K3 Premium with the latest updates. ... >> John Harris ...
    (microsoft.public.windows.server.sbs)