RE: IIS web server hacked..any tips?

["David LeBlanc" <dleblanc () exchange microsoft com>]

If you have a lot of knowledge, and some time on your hands, it is
possible to boot a Windows system (boot.ini flag) such that it can be
debugged across a serial cable. This may be an interesting thing from a
honeypot POV.

So you'd set the switch, boot the system, wait until you want to
snapshot it, and then use the debugger to look at anything in memory you
like. Windbg will do this, and I think SoftIce does, too. The owned
system is defenseless against an external kernel debugger.

BTW, in response to the original mail, if I were reasonably sure the
system was up to date on patches (and there hasn't been an IIS 6.0 issue
in a while, so this is likely), then I would start looking at other
things. For example, is NetBT bound to the external interface? If so,
how strong (really) are the passwords? Feed the password hashes to a
cracker, and see. If you think that one is tampered with (fair bet), try
one of the ones built by the same people.

Next, look at the web app - did someone do something like put SQL
injection in an app running as sa? What entry points were really
available to the attackers? What if they managed to get behind the
firewall?

Hope this helps...

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 

[snip]

(If you're *really* tech-savvy, and the suspect machine has an ieee1394
port, you can have your cake and eat it too - use a "field-modified"
iPod to collect the evidence nice and fast without the hacker's
knowledge, and THEN pull the plug and proceed with the forensics. ;)