Security Incidents mailing list archives
Re: IIS web server hacked..any tips?
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Wed, 15 Dec 2004 16:17:08 -0800
These days I'm not sure IIS 6 is where I'd be looking ....but your logs will tell you that story... I'd start with a SQL server injection., but that's pure speculation. Get out the logs and read the tea leaves.
Asp.net has a needed vulnerability patch these days as well. Bottom line the rest are right... you can't trust that machine. Foresically examine it, figure out how they got in and flatten.
How hard and un-crackable were the passwords? These days with a badly written application, you don't need vulnerabilities. Susan Jim Tuttle wrote:
I would portscan the host. Find unusual ports that are open. Try to connect. If you get a banner for an FTP server, try to find the executable or service and shut it down. If they got in via your FTP service, that's the first place I would look. If they didn't, then Id start with IIS. Make sure your fully patched, even the IE vulns need patching on a server. You can use tools like TCPview and Fport to find out which exe is opening what port. That's a least a start, Jim Tuttle -----Original Message-----From: Francesco [mailto:francesco () blackcoil com] Sent: Wednesday, December 15, 2004 8:24 AMTo: incidents () securityfocus com Subject: IIS web server hacked..any tips? I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable, and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is additionally protected by authentication. Yesterday someone managed to access the server and dump 8GB of DVD files into a deeply nested folder in a backup directory, for sharing I presume. The payload folder was NOT within the available folders given access to FTP users. Someone was able to "see" the entire D drive and figure out a hidden enough location at their whimsy. I thought the server was fairly well locked down, but apparently not. What is the usual method of intrusion for "warez" attacks like these? Francesco
--An open letter to Steve Ballmer:: http://msmvps.com/bradley/archive/2004/12/06/22637.aspx
Current thread:
- IIS web server hacked..any tips? Francesco (Dec 15)
- Re: IIS web server hacked..any tips? xyberpix (Dec 15)
- RE: IIS web server hacked..any tips? Curt Purdy (Dec 15)
- Re: IIS web server hacked..any tips? Sam Evans (Dec 15)
- RE: IIS web server hacked..any tips? Christopher Day (Dec 15)
- RE: IIS web server hacked..any tips? Jim Tuttle (Dec 15)
- Re: IIS web server hacked..any tips? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Dec 16)
- Re: IIS web server hacked..any tips? Barrie Dempster (Dec 15)
- Re: IIS web server hacked..any tips? Tim Igoe (Dec 15)
- Re: IIS web server hacked..any tips? cta () hcsin net (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Dave Dodge (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? K.M. Jeary (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Ron (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- <Possible follow-ups>
- RE: IIS web server hacked..any tips? Gary Nichols (Dec 15)
- Re: IIS web server hacked..any tips? Roger McLaren (Dec 15)
(Thread continues...)