Security Basics mailing list archives
Compromised Server Project
From: "Hunt, Jim" <Jim.Hunt () nwsc k12 in us>
Date: Fri, 7 Feb 2003 14:52:50 -0500
I keep reading how quickly unsecured servers on high speed connections can be compromised. Is it really as bad as they keep saying? Just how long could a server (IIS 6 on Windows 2003 Server RC2) remain safe when just sitting quietly and not offering an Internet presence? The box is a standard desktop (Pentium 4). The connection is a full T1. It sits outside my firewall with no protection other than a medium difficult password on the administrator account. The built-in software firewall similar to the one in Windows XP is not activated. You can ping the box and it will reply. There are no web pages being served other than a basic page indicating it is a web server and the OS. FrontPage 2002 Extensions are also installed. It also has the INETPUB Folder installed on the same c:\ partition as the operating system. There really has been so special security other than a default installation and the basic Windows Update patches. Well, it has been over 6 weeks since installation and nobody has gotten into the box. Yeah, I know someone working at it could compromise it but the casual scans and script kiddies just keep passing it by. (There are many attempts recorded in the logs.) I got bored waiting and decided to add an FTP Server and allow read/write access for anyone. I was also disappointed that after 12 hours, it hadn't been touched. Another 6 hours went by and still nothing. Maybe Internet hacking was dead we didn't need firewalls anymore. Well, it didn't make it 24 hours before it compromised. (Yes, I did kind of help it along.) I received about 160 MB of files uploaded. They left this message: For Team Tacheron Universal - Scanned'n'Upped by Sol There were a couple of downloads of those files before I turned off the FTP Service. (The files were Karaoke; nothing good!) So what am I saying? A misconfigured FTP Server with anonymous read/write access was quickly used by someone. The HTTP Server seems to be remarkably secure against all common vulnerabilities. This was using the default installation. I also didn't install any Antivirus software on the box but did due a full scan using the online scan from Trend Micro and it came up clean so no Trojans were dropped. Please note this was not a scientific study but something born out of boredom by myself. Stay Secure! Jim Hunt Microsoft Certified Systems Engineer Northwestern School Corporation Kokomo, Indiana http://www.netmon.org Providing the resources and tools to monitor your network Includes User Forums
Current thread:
- Compromised Server Project Hunt, Jim (Feb 10)
- <Possible follow-ups>
- RE: Compromised Server Project Anthony, Shayla (Feb 10)
- RE: Compromised Server Project Shanna Daly (Feb 10)
- irc port open on 6668/tcp and 6667/tcp Harish Gondavale (Feb 11)
- Re: irc port open on 6668/tcp and 6667/tcp Mike Dresser (Feb 12)
- irc port open on 6668/tcp and 6667/tcp Harish Gondavale (Feb 11)
- RE: Compromised Server Project Anders Reed Mohn (Feb 11)
- RE: Compromised Server Project s7726 (Feb 12)
- Re: Compromised Server Project Brian Wojtczak ( Lawyers Online ) (Feb 12)