Security Incidents mailing list archives
RE: IIS web server hacked..any tips?
From: Richard.Grant () ky gov
Date: Thu, 16 Dec 2004 11:04:34 -0500
Francesco, I have dealt with several warez compromised servers and I am aware of others. The methods of compromise have been more commonly the services and applications you have listed on your server. The most common of them has been FTP. FTP has been the most common method of populating a warez site as well. The least obvious attack vector has been through compromised workstations by way of open shares. Recent warez compromises have used IRC/ICQ covert channels to populate compromised servers. Much of what and how they do what they do is deliberately hidden from Windows operating systems. Some of the hidden activities can be discovered using forensic analysis of the server. This can be accomplished with software such as Guidance's Encase. What we have seen is that a machine is compromised and is left for a period of time to see if that activity is discovered and is later populated as a backup server. The backup warez server is used when something happens to their primary site or they switch periodically; we are not sure when and under what conditions they activate the warez site. Due to the fact that you probably will never know the full extent of the compromise of the server it is always advisable to rebuild the server. A point I would like to make is that we have learned not to be hasty in removing the site from the server. They are not interested in harming your server just using your resources. I am aware of an incident where the owners of a compromised server were hasty and shut the site down as soon as the infection was discovered. When the admins shutdown the site the intruders attacked that network with a brute-force password cracking attack. They knew all of the user accounts with administrative access and were disabling these accounts with excessive logon attempts. Fending off that attack tied up a large amount of resources for several days. These warez sites can be very sophisticated operations with built-in defenses. You need to move against them cautiously. What we now recommend is: Log all activity to and from the server for a period of time; that you are comfortable with. Sniff the traffic to and from the server, if possible. The goal is to identify the IP addresses of the probable attackers. Once you have gathered enough information. Block the IP addresses of the probable intruders Rebuild the server Give it a new machine name and a different IP address A strong recommendation is not to put IIS and FTP on the same server if possible. Hope this info is helpful! I would like to see more discussion on this subject. -----Original Message----- From: Francesco [mailto:francesco () blackcoil com] Sent: Wednesday, December 15, 2004 11:24 AM To: incidents () securityfocus com Subject: IIS web server hacked..any tips? I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable, and ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is additionally protected by authentication. Yesterday someone managed to access the server and dump 8GB of DVD files into a deeply nested folder in a backup directory, for sharing I presume. The payload folder was NOT within the available folders given access to FTP users. Someone was able to "see" the entire D drive and figure out a hidden enough location at their whimsy. I thought the server was fairly well locked down, but apparently not. What is the usual method of intrusion for "warez" attacks like these? Francesco
Current thread:
- Re: IIS web server hacked..any tips?, (continued)
- Re: IIS web server hacked..any tips? Tim Igoe (Dec 15)
- Re: IIS web server hacked..any tips? cta () hcsin net (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Dave Dodge (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? K.M. Jeary (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- Re: IIS web server hacked..any tips? Ron (Dec 16)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 16)
- RE: IIS web server hacked..any tips? Gary Nichols (Dec 15)
- Re: IIS web server hacked..any tips? Roger McLaren (Dec 15)
- RE: IIS web server hacked..any tips? Adrian Marsden (Dec 16)
- RE: IIS web server hacked..any tips? Richard . Grant (Dec 16)
- RE: IIS web server hacked..any tips? David LeBlanc (Dec 17)
- Re: IIS web server hacked..any tips? Valdis . Kletnieks (Dec 17)