Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS web server hacked..any tips?

From: Sam Evans <wintrmte () gmail com>
Date: Wed, 15 Dec 2004 12:34:09 -0700
Could the individual have used a privileged account which would have
allowed them to drop the files in the location you found them in? 
Brute forcing accounts through FTP is fairly non evasive (if you have
security event logging disabled / nothing moitoring it and no lockout
restrictions).

Out of curiosity, what is/was the owner set to on the files you found?
 That should be a good clue as to how they got there.

-Sam


On Wed, 15 Dec 2004 08:23:40 -0800, Francesco <francesco () blackcoil com> wrote:

I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP is
additionally protected by authentication.

Yesterday someone managed to access the server and dump 8GB of DVD files
into a deeply nested folder in a backup directory, for sharing I
presume.  The payload folder was NOT within the available folders given
access to FTP users.  Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.

I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?

Francesco
Previous By Date Next
Previous By Thread Next

Current thread: