Security Incidents mailing list archives
Re: IIS web server hacked..any tips?
From: "K.M. Jeary" <kmj1000 () ucs cam ac uk>
Date: Thu, 16 Dec 2004 19:23:11 +0000 (GMT)
You don't say which, if any, executables you found - or had this all beenwiped before you got there? This normally gives some clue to type of entry (exploiting tftp is one common line of attack). I'd also look for doctored logs (earlier logs should give you pre-existing patterns of access to ftp/IIS). The length is of certain files (or lack of it is often a clue) - this can tell you what period(s) the group wanted to disguise. Unless of course they've used clearlog.exe and deleted the
whole affair...You can't necessarily rely on dates of course - executables like setdatetime.exe (sets the date of a file back five calendar years) are
often part of an oridnary roorkit. However (and of course doing this destroys part of your evidence) looking at .exe files 'lastaccessed' in rhe system32 directory can be quite illuminating. [It's fairly easy to sort out those which are normally used by the system etc.]
The other point I'd make is you shouldn't necessarily make the mistake of assuming that your server was compromised _recently_. it could have been so for several weeks or months - and the group involved only came back to it when it rose to the top of the compromosed hosts list. As earlier replies have suggested, you could actually have one or more than one zombie PC in your organization - the original compromise does not necessarily have to have been from an external machine. Internet: K.M.Jeary () ucs cam ac uk University Computing Service, NT-Support: NT-Support () ucs cam ac uk Pembroke Street Telephone: +44 (0)1223-335632 Cambridge CB2 3QH, England.
Current thread:
- RE: IIS web server hacked..any tips?, (continued)
- RE: IIS web server hacked..any tips? Curt Purdy (Dec 15)
- Re: IIS web server hacked..any tips? Sam Evans (Dec 15)
- RE: IIS web server hacked..any tips? Christopher Day (Dec 15)
- RE: IIS web server hacked..any tips? Jim Tuttle (Dec 15)
- Re: IIS web server hacked..any tips? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Dec 16)
- Re: IIS web server hacked..any tips? Barrie Dempster (Dec 15)
- Re: IIS web server hacked..any tips? Tim Igoe (Dec 15)
- Re: IIS web server hacked..any tips? cta () hcsin net (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Dave Dodge (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? K.M. Jeary (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Ron (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- RE: IIS web server hacked..any tips? Gary Nichols (Dec 15)
- Re: IIS web server hacked..any tips? Roger McLaren (Dec 15)
- RE: IIS web server hacked..any tips? Adrian Marsden (Dec 16)
- RE: IIS web server hacked..any tips? Richard . Grant (Dec 16)
- RE: IIS web server hacked..any tips? David LeBlanc (Dec 17)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 17)