Security Incidents mailing list archives
RE: IIS web server hacked..any tips?
From: "Curt Purdy" <purdy () tecman com>
Date: Wed, 15 Dec 2004 15:11:29 -0600
Francesco wrote:
Yesterday someone managed to access the server and dump 8GB of DVD files into a deeply nested folder in a backup directory, for sharing I presume. The payload folder was NOT within the available folders given access to FTP users. Someone was able to "see" the entire D drive and figure out a hidden enough location at their whimsy.
<snip> Tip? Use Apache on *NIX ;) Seriously though, you will need to remove those folders manually. Some will likely have names like COM and LPT1 which *NIX is fine with but windoze chokes on. Attached is the description how to (only 3k so am attaching to everyone). As for how they did it, you are running some of the biggest problems MS has including IIS, SQL Server, and ASP.NET, any one of which could be exploitable. You cannot rely on windowsupdate to tell you your patched. It often lies because it only looks at the registry which is updated prior to the actual update completing (can you say dumb?). You must run multiple tests like MBSA to verify. In addition there are possibly 3rd part programs loaded that need patching. The only time my windoze server got hacked was when a cracker exploited a vuln in Matt's formmail perl script we were using. Also, I would look at the times of file install to determine whether it was internal or external. If times are too close for your Internet line to accommodate, it means you have an insider to contend with once you clean up your act. If that is the case, you may want to take the box offline by pulling the plug (that leaves everything in virtual memory intact for forensic analysis) and determine who needs to be fired. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke
Attachment:
deleting_hacked_dirs.txt
Description:
Current thread:
- IIS web server hacked..any tips? Francesco (Dec 15)
- Re: IIS web server hacked..any tips? xyberpix (Dec 15)
- RE: IIS web server hacked..any tips? Curt Purdy (Dec 15)
- Re: IIS web server hacked..any tips? Sam Evans (Dec 15)
- RE: IIS web server hacked..any tips? Christopher Day (Dec 15)
- RE: IIS web server hacked..any tips? Jim Tuttle (Dec 15)
- Re: IIS web server hacked..any tips? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Dec 16)
- Re: IIS web server hacked..any tips? Barrie Dempster (Dec 15)
- Re: IIS web server hacked..any tips? Tim Igoe (Dec 15)
- Re: IIS web server hacked..any tips? cta () hcsin net (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Dave Dodge (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? K.M. Jeary (Dec 16)
(Thread continues...)