Re: Compromised Server Project

["Brian Wojtczak ( Lawyers Online )" <astrolox () lawyersonline co uk>]

--

I think the major reason that you weren't "attacked" sooner is because the box was doing nothing.

I must also point out ( as someone else did ) that a plain install which hasn't got anything interesting on it would 
look like to trap to most hackers. 

My guess is that if you put some web site up on the box and publish the address then you would have been a much more 
inviting target.


We don't run any windows servers yet I'm constantly seeing Nimda or code red style attacks against our servers. Stuff 
that only works against windows. I find that these attacks happen most often during the night ( GMT ), I'm guessing 
they are "script kiddies" as I'm not aware of a virus which cares if it's night or day. 

My point is our servers are well published, we host lots of web sites and are in an ip address range with other servers 
which host lots of web sites, and we see IIS attacks every day. 


Regards,
Brian, Lawyers Online


At 14:52 07/02/2003 -0500, you wrote:
> I keep reading how quickly unsecured servers on high speed connections
> can be compromised.  Is it really as bad as they keep saying?  Just how
> long could a server (IIS 6 on Windows 2003 Server RC2) remain safe when
> just sitting quietly and not offering an Internet presence?
>
> The box is a standard desktop (Pentium 4).  The connection is a full T1.
> It sits outside my firewall with no protection other than a medium
> difficult password on the administrator account.  The built-in software
> firewall similar to the one in Windows XP is not activated.  You can
> ping the box and it will reply.
>
> There are no web pages being served other than a basic page indicating
> it is a web server and the OS.  FrontPage 2002 Extensions are also
> installed.  It also has the INETPUB Folder installed on the same c:\
> partition as the operating system.  
>
> There really has been so special security other than a default
> installation and the basic Windows Update patches.  Well, it has been
> over 6 weeks since installation and nobody has gotten into the box.
> Yeah, I know someone working at it could compromise it but the casual
> scans and script kiddies just keep passing it by.  (There are many
> attempts recorded in the logs.)
>
> I got bored waiting and decided to add an FTP Server and allow
> read/write access for anyone.  I was also disappointed that after 12
> hours, it hadn't been touched.  Another 6 hours went by and still
> nothing.  Maybe Internet hacking was dead we didn't need firewalls
> anymore.
>
> Well, it didn't make it 24 hours before it compromised.  (Yes, I did
> kind of help it along.)  I received about 160 MB of files uploaded.
> They left this message:
>
> For Team Tacheron Universal - Scanned'n'Upped by Sol
>
> There were a couple of downloads of those files before I turned off the
> FTP Service.  (The files were Karaoke; nothing good!)  So what am I
> saying?  A misconfigured FTP Server with anonymous read/write access was
> quickly used by someone.  
>
> The HTTP Server seems to be remarkably secure against all common
> vulnerabilities.  This was using the default installation.  
>
> I also didn't install any Antivirus software on the box but did due a
> full scan using the online scan from Trend Micro and it came up clean so
> no Trojans were dropped.  
>
> Please note this was not a scientific study but something born out of
> boredom by myself.  Stay Secure!  
>
> Jim Hunt
> Microsoft Certified Systems Engineer
> Northwestern School Corporation
> Kokomo, Indiana
>
> http://www.netmon.org
> Providing the resources and tools to monitor your network
> Includes User Forums