Re: help:site hacked
From: Jonathan Maltz [MS-MVP] (jmaltz_at_mvps.org)
Date: 06/30/04
- Next message: Hernán Castelo: "Re: help:site hacked"
- Previous message: Hernán Castelo: "Re: help:site hacked"
- In reply to: Hernán Castelo: "Re: help:site hacked"
- Next in thread: Hernán Castelo: "Re: help:site hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jun 2004 13:36:12 -0400
Hi,
I'd try microsoft.public.inetserver.iis.security - I haven't seen anything
like that
-- --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] http://www.visualwin.com - A Windows Server 2003 visual, step-by-step tutorial site :-) http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out here Only reply by newsgroup. I do not do technical support via email. Any emails I have not authorized are deleted before I see them. "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message news:uUZpThsXEHA.3012@tk2msftngp13.phx.gbl... > i will to check it > with the responsible of the firewall > > this is a summary of the log files > > THanks > > > web/ sec > ------------ > 681 on IWAM > 529 on DCOMSCM thru IWAM > 612 policy changed > 514 on LSAsrv.dkk, kerberos.dll, schannell, msv1_0:NTLM ... > 518 on RASSFM > > web/ sec > ------------ > 4 IIS stopped > 4156 MSDTC info CM "session idle timeout over, tearing down the session" > 4156 MSDTC client "session idle timeout over, tearing down the session" > 1704 SceCli "policy change applied" > 4097 MSDTC started ... > > web/ sys > ------------ > 36 w3svc can't load /LM/w3SVC/2/Root > 10004 DCOM "overlaped I/O" thru IWAM > > > > sql /sec log: > ------------ > 529, 680 on sql service account > 515 on rasman > 514 on LSAsrv.dkk, kerberos.dll, schannell, msv1_0:NTLM ... > > sql/ sys log: > ------------ > 64 by w32time > 7000 - can't start SCM service contol manager > 7001 - sql not available - SqlServerAgent > > sql/ app log > ------------ > 208 - SqlSrvAg can't do backup > 17177 MsSqlSrv not available > 4097 MSDTC SVC not available > > > -- > atte, > Hernán Castelo > SGA - UTN - FRBA > > "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> escribió en el mensaje > news:eBtM2UiXEHA.3516@TK2MSFTNGP09.phx.gbl... > > Hi, > > > > Was OpenBSD kept up to date with all of the latest kernel patches, etc? > > Were the servers behind the BSD box? > > > > Do you still have an image or something of the server when it was hacked? > > > > You mentioned IWAM...Could you have meant IWAP_WWW? > > > > -- > > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] > > http://www.visualwin.com - A Windows Server 2003 visual, step-by-step > > tutorial site :-) > > http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find > out > > here > > Only reply by newsgroup. I do not do technical support via email. Any > > emails I have not authorized are deleted before I see them. > > > > > > "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message > > news:uDStO2dXEHA.3716@TK2MSFTNGP11.phx.gbl... > > > i have a firewall openbsd, > > > ( do you mean an app firewall? > > > like ie. norton personal fw ) > > > > > > the server was updated > > > with mbsa, had iislockdown, etc > > > > > > IS THERE any way to determine > > > what kind of attack i received ??? > > > > > > thanks > > > > > > -- > > > atte, > > > Hernán Castelo > > > SGA - UTN - FRBA > > > > > > "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> escribió en el mensaje > > > news:%23wFoh%23UXEHA.2844@TK2MSFTNGP11.phx.gbl... > > > > Hi, > > > > > > > > Stay up to date on security and other hotfixes > > > > Get some sort of firewall > > > > > > > > That's a good start > > > > > > > > -- > > > > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] > > > > http://www.visualwin.com - A Windows Server 2003 visual, step-by-step > > > > tutorial site :-) > > > > http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? > Find > > > out > > > > here > > > > Only reply by newsgroup. I do not do technical support via email. > Any > > > > emails I have not authorized are deleted before I see them. > > > > > > > > > > > > "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message > > > > news:%23ERCwhRXEHA.2520@TK2MSFTNGP12.phx.gbl... > > > > hi > > > > someone was hacked my site > > > > i have 2 servers : > > > > web--> IIS 5 / w2k adv Srv IIS lockdown > > > > sql--> SQL2k / w2k adv Srv > > > > > > > > i found the web srv doing "beeps" > > > > soon i found it serves html pages > > > > but don't serves asp with an error like > > > > "Error in the server application" > > > > > > > > sql srv lost sa password > > > > and don't recognize the local admin > > > > then i can't access to sql applications > > > > > > > > except of that, > > > > servers appears to work normal > > > > > > > > the web srv log is saying > > > > that attacked the iwam_ > > > > and many "login misses" under DCOMSCM > > > > and then, "login hits" > > > > > > > > i go now to restore > > > > my backup and images > > > > but > > > > what can i do to prevent the next attack ? > > > > how can i protect better the site ? > > > > > > > > thanks > > > > > > > > > > > > > > > > > > > > -- > > > > atte, > > > > Hernán > > > > > > > > > > > > > > > > > > > >
- Next message: Hernán Castelo: "Re: help:site hacked"
- Previous message: Hernán Castelo: "Re: help:site hacked"
- In reply to: Hernán Castelo: "Re: help:site hacked"
- Next in thread: Hernán Castelo: "Re: help:site hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
