Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IIS web server hacked..any tips?

from [Adrian Marsden] Network Security [Permanent Link]
Subject: RE: IIS web server hacked..any tips?
Date: Thu, 16 Dec 2004 07:44:46 -0500 
Might I also suggest that since, to date, you do not know the attack vector and 
may not know it in the future if you are not sufficiently logging etc. that 
once the box is ready to come back up you turn on all logging to a remote and 
secure machine and implement or update IDS. I might even go as far as 
suggesting that you place a packet dump, (Ethereal), on a remote box to capture 
all traffic to and from the previously compromised machine.

If you dont't and you haven't ascertained and mitigated the attack vector 
you'll be back next week with the same problem.....


-----Original Message-----
From:   Roger McLaren [mailto:RMcLaren@vcss.k12.ca.us]
Sent:   Wed 12/15/2004 4:32 PM
To:     francesco@blackcoil.com; incidents@securityfocus.com
Cc:     
Subject:        Re: IIS web server hacked..any tips?
Francesco,

Any of the software you listed could be used to gain access to your
server.  Even the MailEnable software has had remotely exploitable
buffer overflows. You did not mention software versions, or if the
server was firewalled. If there is no firewall it could be a simple
password guessing attack. The compromise of a windows account with admin
rights or a SQL account with sufficient privilege would do it.

If you have enabled auditing go over the logs carefully to look for any
clues. Then wipe the machine and re-build it (or restore from a known
clean backup) and make sure you change ALL the passwords - you never
know what they did while they were there.

Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools 


"Francesco" <francesco@blackcoil.com> 12/15/2004 8:23:40 AM >>>

I have a Windows 2003 Server running IIS 6, SQL Server 2000,
MailEnable,
and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP
is
additionally protected by authentication.

Yesterday someone managed to access the server and dump 8GB of DVD
files
into a deeply nested folder in a backup directory, for sharing I
presume.  The payload folder was NOT within the available folders
given
access to FTP users.  Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.

I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?

Francesco
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IIS web server hacked..any tips?, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Date:  Re: IIS web server hacked..any tips?, cta@hcsin.net
Previous by Thread:  Re: IIS web server hacked..any tips?, Roger McLaren
Next by Thread:  RE: IIS web server hacked..any tips?, Richard . Grant
Indexes:  [Date] [Thread] [Top] [All Lists]