Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS web server hacked..any tips?

from [cta@hcsin.net] Network Security [Permanent Link]
Subject: Re: IIS web server hacked..any tips?
Date: Wed, 15 Dec 2004 19:44:34 -0500 
On 15 Dec 2004 at 8:23, Francesco wrote:


I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP is
additionally protected by authentication.

Yesterday someone managed to access the server and dump 8GB of DVD files
into a deeply nested folder in a backup directory, for sharing I
presume.  The payload folder was NOT within the available folders given
access to FTP users.  Someone was able to "see" the entire D drive and
figure out a hidden enough location at their whimsy.

I thought the server was fairly well locked down, but apparently not.
What is the usual method of intrusion for "warez" attacks like these?

Francesco


<<<
Just to add some sage advice? if you really want to ensure that the 
contents of a suspected compromised machine's virtual memory, as well as 
its hard drive are intact then I would NOT "pull the plug" i.e., 
disconnect from network. An attacker with half a brain can easily load a 
watchdog program that automatically erases memory, files reconfigures 
wini, and puts the machine back into a unsuspicious state if it detects 
that the it has lost its network connection, or someone has executed the 
shutdown cmd. In other words cover ones tracks. For non-critical cases 
(that is were the risk to confidentiality, integrity and availability of 
the data contained in the hard drive is acceptable), the first thing I 
would do in this scenario is to quietly connect a snoop machine (laptop) 
to the LAN segment and start sniffing for packets. If no traffic is coming 
from the suspect machine, then try getting in the front door, but keep an 
eye on the back door for egress packets. In some cases I have been able to 
track packets (honey I'm home!, or here the data you wanted!) back to the 
attackers collection nest. 

-



--
****************************************************
Bernie / cta@hcsin.net
Chief Technology Architect / Chief Security Officer
Euclidean Systems
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IIS web server hacked..any tips?, Adrian Marsden
Next by Date:  RE: IIS web server hacked..any tips?, Richard . Grant
Previous by Thread:  Re: IIS web server hacked..any tips?, Tim Igoe
Next by Thread:  Re: IIS web server hacked..any tips?, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]