Security Incidents mailing list archives
RE: IIS web server hacked..any tips?
From: "Adrian Marsden" <amarsden () jvsdet org>
Date: Thu, 16 Dec 2004 07:44:46 -0500
Might I also suggest that since, to date, you do not know the attack vector and may not know it in the future if you are not sufficiently logging etc. that once the box is ready to come back up you turn on all logging to a remote and secure machine and implement or update IDS. I might even go as far as suggesting that you place a packet dump, (Ethereal), on a remote box to capture all traffic to and from the previously compromised machine. If you dont't and you haven't ascertained and mitigated the attack vector you'll be back next week with the same problem..... -----Original Message----- From: Roger McLaren [mailto:RMcLaren () vcss k12 ca us] Sent: Wed 12/15/2004 4:32 PM To: francesco () blackcoil com; incidents () securityfocus com Cc: Subject: Re: IIS web server hacked..any tips? Francesco, Any of the software you listed could be used to gain access to your server. Even the MailEnable software has had remotely exploitable buffer overflows. You did not mention software versions, or if the server was firewalled. If there is no firewall it could be a simple password guessing attack. The compromise of a windows account with admin rights or a SQL account with sufficient privilege would do it. If you have enabled auditing go over the logs carefully to look for any clues. Then wipe the machine and re-build it (or restore from a known clean backup) and make sure you change ALL the passwords - you never know what they did while they were there. Roger R. McLaren Systems Support Analyst Information Technology Services Ventura County Superintendent of Schools
"Francesco" <francesco () blackcoil com> 12/15/2004 8:23:40 AM >>>
I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable, and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is additionally protected by authentication. Yesterday someone managed to access the server and dump 8GB of DVD files into a deeply nested folder in a backup directory, for sharing I presume. The payload folder was NOT within the available folders given access to FTP users. Someone was able to "see" the entire D drive and figure out a hidden enough location at their whimsy. I thought the server was fairly well locked down, but apparently not. What is the usual method of intrusion for "warez" attacks like these? Francesco
Current thread:
- Re: IIS web server hacked..any tips?, (continued)
- Re: IIS web server hacked..any tips? Barrie Dempster (Dec 15)
- Re: IIS web server hacked..any tips? Tim Igoe (Dec 15)
- Re: IIS web server hacked..any tips? cta () hcsin net (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Dave Dodge (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? K.M. Jeary (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Ron (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- RE: IIS web server hacked..any tips? Gary Nichols (Dec 15)
- Re: IIS web server hacked..any tips? Roger McLaren (Dec 15)
- RE: IIS web server hacked..any tips? Adrian Marsden (Dec 16)
- RE: IIS web server hacked..any tips? Richard . Grant (Dec 16)
- RE: IIS web server hacked..any tips? David LeBlanc (Dec 17)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 17)