Security Basics mailing list archives
Re: Compromised Server Project
From: "Brian Wojtczak ( Lawyers Online )" <astrolox () lawyersonline co uk>
Date: Wed, 12 Feb 2003 10:25:17 +0000
-- I think the major reason that you weren't "attacked" sooner is because the box was doing nothing. I must also point out ( as someone else did ) that a plain install which hasn't got anything interesting on it would look like to trap to most hackers. My guess is that if you put some web site up on the box and publish the address then you would have been a much more inviting target. We don't run any windows servers yet I'm constantly seeing Nimda or code red style attacks against our servers. Stuff that only works against windows. I find that these attacks happen most often during the night ( GMT ), I'm guessing they are "script kiddies" as I'm not aware of a virus which cares if it's night or day. My point is our servers are well published, we host lots of web sites and are in an ip address range with other servers which host lots of web sites, and we see IIS attacks every day. Regards, Brian, Lawyers Online At 14:52 07/02/2003 -0500, you wrote:
I keep reading how quickly unsecured servers on high speed connections can be compromised. Is it really as bad as they keep saying? Just how long could a server (IIS 6 on Windows 2003 Server RC2) remain safe when just sitting quietly and not offering an Internet presence? The box is a standard desktop (Pentium 4). The connection is a full T1. It sits outside my firewall with no protection other than a medium difficult password on the administrator account. The built-in software firewall similar to the one in Windows XP is not activated. You can ping the box and it will reply. There are no web pages being served other than a basic page indicating it is a web server and the OS. FrontPage 2002 Extensions are also installed. It also has the INETPUB Folder installed on the same c:\ partition as the operating system. There really has been so special security other than a default installation and the basic Windows Update patches. Well, it has been over 6 weeks since installation and nobody has gotten into the box. Yeah, I know someone working at it could compromise it but the casual scans and script kiddies just keep passing it by. (There are many attempts recorded in the logs.) I got bored waiting and decided to add an FTP Server and allow read/write access for anyone. I was also disappointed that after 12 hours, it hadn't been touched. Another 6 hours went by and still nothing. Maybe Internet hacking was dead we didn't need firewalls anymore. Well, it didn't make it 24 hours before it compromised. (Yes, I did kind of help it along.) I received about 160 MB of files uploaded. They left this message: For Team Tacheron Universal - Scanned'n'Upped by Sol There were a couple of downloads of those files before I turned off the FTP Service. (The files were Karaoke; nothing good!) So what am I saying? A misconfigured FTP Server with anonymous read/write access was quickly used by someone. The HTTP Server seems to be remarkably secure against all common vulnerabilities. This was using the default installation. I also didn't install any Antivirus software on the box but did due a full scan using the online scan from Trend Micro and it came up clean so no Trojans were dropped. Please note this was not a scientific study but something born out of boredom by myself. Stay Secure! Jim Hunt Microsoft Certified Systems Engineer Northwestern School Corporation Kokomo, Indiana http://www.netmon.org Providing the resources and tools to monitor your network Includes User Forums
Current thread:
- Compromised Server Project Hunt, Jim (Feb 10)
- <Possible follow-ups>
- RE: Compromised Server Project Anthony, Shayla (Feb 10)
- RE: Compromised Server Project Shanna Daly (Feb 10)
- irc port open on 6668/tcp and 6667/tcp Harish Gondavale (Feb 11)
- Re: irc port open on 6668/tcp and 6667/tcp Mike Dresser (Feb 12)
- irc port open on 6668/tcp and 6667/tcp Harish Gondavale (Feb 11)
- RE: Compromised Server Project Anders Reed Mohn (Feb 11)
- RE: Compromised Server Project s7726 (Feb 12)
- Re: Compromised Server Project Brian Wojtczak ( Lawyers Online ) (Feb 12)