re: got hit with iiscrack, trying to learn how it was done

[H C <keydet89 () yahoo com>]

Jeff,

> how did the cmd file get there in the first place,
and 
> how was it executed?

Did you happen to check your IIS logs?  I've looked
again, and there isn't anyplace in your post where you
mention doing this?  It's kind of late now, but if I
were you, I would have preserved the MAC times on the
CMD file, and then compared that to the IIS logs of
about the same date.

> b) i think that the iis priv escalation vuln is what
> allows the iiscrack.dll/httpodbc.dll backdoor to do 
> its stuff (control the pc) but is that vuln also the

> hole that allowed the hacker to get that cmd file on

> there, which in turn started the ftp session?  I am 
> definitely missing something here!

Maybe just your IIS logs.

Regarding your anti-virus question...who knows?  You
really haven't provided complete information in your
post, and any answers you receive will most likely be
speculation.  

I'd suggest to you that some training might be
appropriate:

http://www.megamind.org/TRAIN/forwin2000.html

If the dates and locations of the listed training
aren't convenient, let me know.

HTH

 



__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2