Re: help:site hacked

From: Hernán Castelo (hcastelo_at_cedi.frba.utn.edu.ar)
Date: 06/30/04 

Date: Wed, 30 Jun 2004 14:36:40 -0300

i will to check it
with the responsible of the firewall

this is a summary of the log files

THanks

web/ sec
------------
681 on IWAM
529 on DCOMSCM thru IWAM
612 policy changed
514 on LSAsrv.dkk, kerberos.dll, schannell, msv1_0:NTLM ...
518 on RASSFM

web/ sec
------------
4 IIS stopped
4156 MSDTC info CM "session idle timeout over, tearing down the session"
4156 MSDTC client "session idle timeout over, tearing down the session"
1704 SceCli "policy change applied"
4097 MSDTC started ...

web/ sys
------------
36 w3svc can't load /LM/w3SVC/2/Root
10004 DCOM "overlaped I/O" thru IWAM

sql /sec log:
------------
529, 680 on sql service account
515 on rasman
514 on LSAsrv.dkk, kerberos.dll, schannell, msv1_0:NTLM ...

sql/ sys log:
------------
64 by w32time
7000 - can't start SCM service contol manager
7001 - sql not available - SqlServerAgent

sql/ app log
------------
208 - SqlSrvAg can't do backup
17177 MsSqlSrv not available
4097 MSDTC SVC not available 

-- 
atte,
Hernán Castelo
SGA - UTN - FRBA
"Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> escribió en el mensaje
news:eBtM2UiXEHA.3516@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> Was OpenBSD kept up to date with all of the latest kernel patches, etc?
> Were the servers behind the BSD box?
>
> Do you still have an image or something of the server when it was hacked?
>
> You mentioned IWAM...Could you have meant IWAP_WWW?
>
> -- 
> --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
> http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
> tutorial site :-)
> http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004?  Find
out
> here
> Only reply by newsgroup.  I do not do technical support via email.  Any
> emails I have not authorized are deleted before I see them.
>
>
> "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
> news:uDStO2dXEHA.3716@TK2MSFTNGP11.phx.gbl...
> > i have a firewall openbsd,
> > ( do you mean an app firewall?
> > like ie. norton personal fw )
> >
> > the server was updated
> > with mbsa, had iislockdown, etc
> >
> > IS THERE any way to determine
> > what kind of attack i received ???
> >
> > thanks
> >
> > -- 
> > atte,
> > Hernán Castelo
> > SGA - UTN - FRBA
> >
> > "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> escribió en el mensaje
> > news:%23wFoh%23UXEHA.2844@TK2MSFTNGP11.phx.gbl...
> > > Hi,
> > >
> > > Stay up to date on security and other hotfixes
> > > Get some sort of firewall
> > >
> > > That's a good start
> > >
> > > -- 
> > > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC]
> > > http://www.visualwin.com - A Windows Server 2003 visual, step-by-step
> > > tutorial site :-)
> > > http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004?
Find
> > out
> > > here
> > > Only reply by newsgroup.  I do not do technical support via email.
Any
> > > emails I have not authorized are deleted before I see them.
> > >
> > >
> > > "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
> > > news:%23ERCwhRXEHA.2520@TK2MSFTNGP12.phx.gbl...
> > > hi
> > > someone was hacked my site
> > > i have 2 servers :
> > > web--> IIS 5 / w2k adv Srv IIS lockdown
> > > sql--> SQL2k / w2k adv Srv
> > >
> > > i found the web srv doing "beeps"
> > > soon i found it serves html pages
> > > but don't serves asp with an error like
> > > "Error in the server application"
> > >
> > > sql srv lost sa password
> > > and don't recognize the local admin
> > > then i can't access to sql applications
> > >
> > > except of that,
> > > servers appears to work normal
> > >
> > > the web srv log is saying
> > > that attacked the iwam_
> > > and many "login misses" under DCOMSCM
> > > and then, "login hits"
> > >
> > > i go now to restore
> > > my backup and images
> > > but
> > > what can i do to prevent the next attack ?
> > > how can i protect better the site ?
> > >
> > > thanks
> > >
> > >
> > >
> > >
> > > -- 
> > > atte,
> > > Hernán
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: Slow user logon on Terminal server after migration to Windows 2003
    ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
    (microsoft.public.windows.server.active_directory)
  • Re: medical records, web server, & stateful firewall vs packet filter
    ... > image and SQL servers directly (the image server link in particular ... The image and SQL servers ... the 2 firewall layers should run different s/ware - the idea is that a major ... security always cost a lot more than you expect (this comes up whenever we ...
    (comp.dcom.sys.cisco)
  • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
    ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
    (freebsd-questions)
  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    (Security-Basics)
  • Re[3]: What can make DNS lookups slow? [semi-solved]
    ... My problem was that DNS lookups from and through my debian firewall ... My ISP's DNS servers are handing back replies from ... the machines inside the firewall, then I'd love to hear of it. ... # means that it queries the dmz server for everything ...
    (Debian-User)