PaulDotCom mailing list archives
Re: Web Server Hacked
From: "Ben Jackson" <bbj () mayhemiclabs com>
Date: Fri, 21 Jan 2011 10:23:06 -0500
Any chance we could look at the IIS logs? That might answer most of the attack vector questions assuming the attack was web based. -- Sent from my Mobile Device On Jan 21, 2011 6:14 AM, Ryan Sears <rdsears () mtu edu> wrote: Hey guys, Perhaps it was something on top of dotnetnuke? There have been quite a few bugs posted in their security bulletins (http://www.dotnetnuke.com/News/SecurityPolicy/tabid/940/Default.aspx - at the bottom) as well as securityfocus (I believe - too many seclists to keep them all straight :-P). Just a thought! I'm curious as to how the initial compromise happened as well. Would you be willing to share the files used in the compromise? The community may be able to trace its origins, and potentially shut down a malicious C&C node for other compromised websites (as I have done in the past), or possibly trace it to a trend of malware, or the initial vector so you can patch/remediate it. Regards, Ryan Sears ----- Original Message ----- From: "Timothy Ouellette" <touellette83 () gmail com> To: "PaulDotCom Security Weekly Mailing List" <pauldotcom () mail pauldotcom com> Sent: Thursday, January 20, 2011 11:39:16 PM GMT -05:00 US/Canada Eastern Subject: Re: [Pauldotcom] Web Server Hacked I'm more interested in the attack vector than the actual hack... anyone know how the files actually got replaced? Any chance your both running the same version of IIS or Apache? Or possibly similar ports available on webservers etc.. ----- Original Message ----- From: Ariany Mizrahi To: PaulDotCom Security Weekly Mailing List Sent: Thursday, January 20, 2011 7:46 PM Subject: Re: [Pauldotcom] Web Server Hacked We actually just had one of our web servers hacked yesterday around 6:50am. index.asp was replaced. Cheers, Ari http://www.securityoverflow.net On Thu, Jan 20, 2011 at 6:53 PM, Mike Smith <ranger.rkm () gmail com> wrote: Hello, I would like to know if anyone has had a web server attacked using these files. 1) default.asp 2) index.asp 3) main.asp 4)shell.asp I have file 1,2,3, but not 4, I do not know if it was successfully uploaded, then deleted. Thanks, Mike _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ------------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Web Server Hacked Mike Smith (Jan 20)
- Re: Web Server Hacked Carlos Perez (Jan 20)
- Re: Web Server Hacked Ariany Mizrahi (Jan 20)
- Re: Web Server Hacked Timothy Ouellette (Jan 20)
- Re: Web Server Hacked Ariany Mizrahi (Jan 21)
- Re: Web Server Hacked Timothy Ouellette (Jan 20)
- <Possible follow-ups>
- Re: Web Server Hacked Ryan Sears (Jan 21)
- Re: Web Server Hacked Ben Jackson (Jan 21)