Re: IIS web server hacked..any tips?

["Roger McLaren" <RMcLaren () vcss k12 ca us>]

Francesco,

Any of the software you listed could be used to gain access to your
server.  Even the MailEnable software has had remotely exploitable
buffer overflows. You did not mention software versions, or if the
server was firewalled. If there is no firewall it could be a simple
password guessing attack. The compromise of a windows account with admin
rights or a SQL account with sufficient privilege would do it.

If you have enabled auditing go over the logs carefully to look for any
clues. Then wipe the machine and re-build it (or restore from a known
clean backup) and make sure you change ALL the passwords - you never
know what they did while they were there.

Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools 

> > > "Francesco" <francesco () blackcoil com> 12/15/2004 8:23:40 AM >>>
I have a Windows 2003 Server running IIS 6, SQL Server 2000,
MailEnable,
and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP
is
additionally protected by authentication.

Yesterday someone managed to access the server and dump 8GB of DVD
files
into a deeply nested folder in a backup directory, for sharing I
presume.  The payload folder was NOT within the available folders
given
access to FTP users.  Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.

I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?

Francesco