Re: IIS web server hacked..any tips?

["K.M. Jeary" <kmj1000 () ucs cam ac uk>]

You don't say which, if any, executables you found - or had this all been
wiped before you got there?  This normally gives some clue to type of 
entry (exploiting tftp is one common line of attack). I'd also look for 
doctored logs (earlier logs should give you pre-existing patterns of 
access to  ftp/IIS). The length is of certain files (or lack of it is 
often a clue) - this can tell you what period(s) the group wanted to 
disguise. Unless of course they've used clearlog.exe and deleted the
whole affair...

You can't necessarily rely on dates of course - executables like 
setdatetime.exe (sets the date of a file back five calendar years) are
often part of an oridnary roorkit. However (and of course doing
this destroys part of your evidence) looking at .exe files 'last
accessed' in rhe system32 directory can be quite illuminating. [It's 
fairly easy to sort out those which are normally used by the system etc.]

The other point I'd make is you shouldn't necessarily make the mistake
of assuming that your server was compromised _recently_. it could
have been so for several weeks or months - and the group involved only
came back to it when it rose to the top of the compromosed hosts list.
As earlier replies have suggested, you could actually have one or
more than one zombie PC in your organization - the original compromise
does not necessarily have to have been from an external machine.

Internet:  K.M.Jeary () ucs cam ac uk       University Computing Service,
NT-Support: NT-Support () ucs cam ac uk     Pembroke Street
Telephone: +44 (0)1223-335632            Cambridge CB2 3QH, England.