RE: IIS web server hacked..any tips?

["Christopher Day" <cday () asgardgroup com>]

Francesco,

There are many ways this server could have been comrpomised. You need to
provide significantly more information:

1. What ports on this server are exposed to the Internet? Are you sure
(i.e. check the firewall rules yourself or perform a port scan from the
outside)?
2. Have you retrieved the IIS logs? Can you post them or provide access
to them (sterilize your IP addresses, if you wish)?
3. What, if any, service packs and hot fixes have been applied?

Regards,

Chris

> -----Original Message-----
> From: Francesco [mailto:francesco () blackcoil com] 
> Sent: Wednesday, December 15, 2004 11:24 AM
> To: incidents () securityfocus com
> Subject: IIS web server hacked..any tips?
>
>
> I have a Windows 2003 Server running IIS 6, SQL Server 2000, 
> MailEnable, and ASP.NET 1.1.  WWW and FTP are enabled, but 
> restricted by IP.  FTP is additionally protected by authentication.
>
> Yesterday someone managed to access the server and dump 8GB 
> of DVD files into a deeply nested folder in a backup 
> directory, for sharing I presume.  The payload folder was NOT 
> within the available folders given access to FTP users.  
> Someone was able to "see" the entire D drive and figure out a 
> hidden enough location at their whimsy.
>
> I thought the server was fairly well locked down, but 
> apparently not. What is the usual method of intrusion for 
> "warez" attacks like these?
>
> Francesco