PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web Server Hacked

From: Ryan Sears <rdsears () mtu edu>
Date: Fri, 21 Jan 2011 01:06:01 -0500 (EST)
Hey guys,

Perhaps it was something on top of dotnetnuke? There have been quite a few bugs posted in their security bulletins 
(http://www.dotnetnuke.com/News/SecurityPolicy/tabid/940/Default.aspx - at the bottom) as well as securityfocus (I 
believe - too many seclists to keep them all straight :-P). 

Just a thought! I'm curious as to how the initial compromise happened as well. Would you be willing to share the files 
used in the compromise? The community may be able to trace its origins, and potentially shut down a malicious C&C node 
for other compromised websites (as I have done in the past), or possibly trace it to a trend of malware, or the initial 
vector so you can patch/remediate it.

Regards,
Ryan Sears

----- Original Message -----
From: "Timothy Ouellette" <touellette83 () gmail com>
To: "PaulDotCom Security Weekly Mailing List" <pauldotcom () mail pauldotcom com>
Sent: Thursday, January 20, 2011 11:39:16 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Pauldotcom] Web Server Hacked

I'm more interested in the attack vector than the actual hack... anyone know how the files actually got replaced? Any 
chance your both running the same version of IIS or Apache? Or possibly similar ports available on webservers etc..
  ----- Original Message ----- 
  From: Ariany Mizrahi 
  To: PaulDotCom Security Weekly Mailing List 
  Sent: Thursday, January 20, 2011 7:46 PM
  Subject: Re: [Pauldotcom] Web Server Hacked


  We actually just had one of our web servers hacked yesterday around 6:50am.  index.asp was replaced.



  Cheers,

  Ari
  http://www.securityoverflow.net



  On Thu, Jan 20, 2011 at 6:53 PM, Mike Smith <ranger.rkm () gmail com> wrote:

    Hello,

    I would like to know if anyone  has had a web server attacked using these files.

    1) default.asp
    2) index.asp
    3) main.asp
    4)shell.asp

    I have file 1,2,3, but not 4, I do not know if it was successfully uploaded, then deleted.

    Thanks,

    Mike

    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom () mail pauldotcom com
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com





------------------------------------------------------------------------------


  _______________________________________________
  Pauldotcom mailing list
  Pauldotcom () mail pauldotcom com
  http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
  Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: