Security Incidents mailing list archives

RE: IIS web server hacked..any tips?


From: "Jim Tuttle" <jim.tuttle () wesd org>
Date: Wed, 15 Dec 2004 11:16:36 -0800

I would portscan the host. Find unusual ports that are open. Try to connect.
If you get a banner for an FTP server, try to find the executable or service
and shut it down. If they got in via your FTP service, that's the first
place I would look. If they didn't, then Id start with IIS.

Make sure your fully patched, even the IE vulns need patching on a server.

You can use tools like TCPview and Fport to find out which exe is opening
what port.


That's a least a start,

Jim Tuttle


-----Original Message-----
From: Francesco [mailto:francesco () blackcoil com] 
Sent: Wednesday, December 15, 2004 8:24 AM
To: incidents () securityfocus com
Subject: IIS web server hacked..any tips?

I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP is
additionally protected by authentication.

Yesterday someone managed to access the server and dump 8GB of DVD files
into a deeply nested folder in a backup directory, for sharing I
presume.  The payload folder was NOT within the available folders given
access to FTP users.  Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.

I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?

Francesco



Current thread: