Re: IIS web server hacked..any tips?

[xyberpix <xyberpix () xyberpix com>]

Hi Francesco,

Firstly I would get the server off the network, litterally pull the plug
on the network cable. Then dig through logs, etc, and try and find out
how they got in, hopefully you had really good logging set up on this
machine, so you should be able to get a fair idea of how they got in.
I would personally say that I re-install is your best way around this,
as you have no idea how many backdoors have been installed on your
server, or what else for that matter.
I hope that the DVD's were at least one's that you hadn't seen?

xyberpix


On Wed, 2004-12-15 at 08:23 -0800, Francesco wrote:
> I have a Windows 2003 Server running IIS 6, SQL Server 2000, MailEnable,
> and ASP.NET 1.1.  WWW and FTP are enabled, but restricted by IP.  FTP is
> additionally protected by authentication.
>
> Yesterday someone managed to access the server and dump 8GB of DVD files
> into a deeply nested folder in a backup directory, for sharing I
> presume.  The payload folder was NOT within the available folders given
> access to FTP users.  Someone was able to "see" the entire D drive and
> figure out a hidden enough location at their whimsy.
>
> I thought the server was fairly well locked down, but apparently not.
> What is the usual method of intrusion for "warez" attacks like these?
>
> Francesco
-- 
For Security and Open Source news and tips visit:

http://www.xyberpix.com

Attachment: signature.asc
Description: This is a digitally signed message part