Francesco, I have dealt with several warez compromised servers and I am
aware of others. The methods of compromise have been more commonly the
services and applications you have listed on your server. The most common of
them has been FTP. FTP has been the most common method of populating a warez
site as well. The least obvious attack vector has been through compromised
workstations by way of open shares. Recent warez compromises have used
IRC/ICQ covert channels to populate compromised servers.
Much of what and how they do what they do is deliberately hidden from
Windows operating systems. Some of the hidden activities can be discovered
using forensic analysis of the server. This can be accomplished with
software such as Guidance's Encase. What we have seen is that a machine is
compromised and is left for a period of time to see if that activity is
discovered and is later populated as a backup server. The backup warez
server is used when something happens to their primary site or they switch
periodically; we are not sure when and under what conditions they activate
the warez site. Due to the fact that you probably will never know the full
extent of the compromise of the server it is always advisable to rebuild the
server.
A point I would like to make is that we have learned not to be hasty in
removing the site from the server. They are not interested in harming your
server just using your resources. I am aware of an incident where the owners
of a compromised server were hasty and shut the site down as soon as the
infection was discovered. When the admins shutdown the site the intruders
attacked that network with a brute-force password cracking attack. They knew
all of the user accounts with administrative access and were disabling these
accounts with excessive logon attempts. Fending off that attack tied up a
large amount of resources for several days. These warez sites can be very
sophisticated operations with built-in defenses. You need to move against
them cautiously.
What we now recommend is:
Log all activity to and from the server for a period of time; that
you are comfortable with.
Sniff the traffic to and from the server, if possible. The goal is
to identify the IP addresses of the probable attackers.
Once you have gathered enough information.
Block the IP addresses of the probable intruders
Rebuild the server
Give it a new machine name and a different IP address
A strong recommendation is not to put IIS and FTP on the same server if
possible.
Hope this info is helpful!
I would like to see more discussion on this subject.
-----Original Message-----
From: Francesco [mailto:francesco@blackcoil.com]
Sent: Wednesday, December 15, 2004 11:24 AM
To: incidents@securityfocus.com
Subject: IIS web server hacked..any tips?
I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable, and
ASP.NET 1.1. WWW and FTP are enabled, but restricted by IP. FTP is
additionally protected by authentication.
Yesterday someone managed to access the server and dump 8GB of DVD files
into a deeply nested folder in a backup directory, for sharing I presume.
The payload folder was NOT within the available folders given access to FTP
users. Someone was able to "see" the entire D drive and figure out a hidden
enough location at their whimsy.
I thought the server was fairly well locked down, but apparently not. What
is the usual method of intrusion for "warez" attacks like these?
Francesco
