Re: IIS Hack : Anyone explain cause...

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/22/04

• Next message: Jay Murphy: "Re: Is there a tool that would allow clients to browse (directory listing style) and upload content to a WWW site?"
• Previous message: Kristofer Gafvert: "Re: IIS Simple Logs for customers?"
• In reply to: Team Macromedia: "IIS Hack : Anyone explain cause..."
• Next in thread: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
• Reply: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 21 Jul 2004 22:13:38 -0700

If you never secured the server and now wonder why it was hacked -- I hope
you realize that it is an absolute waste of time to figure out now. If you
want digital forensics expertise, you probably should pay someone. Of the
missing patches, several allowed remote code execution with elevated
privileges -- any one of which could be trivially used to run simple
commands and commandeer your server. You do not need an IIS vulnerability
to deface a website -- any remotely exploitable vulnerability which offers
privileges will suffice.

Thus, the only thing that is worth anyone's time is if you said that your
server is fully patched and locked down but STILL you get hacked -- that may
be interesting -- maybe it was weak security on your part, maybe it's a new
vulnerability -- we'd probably investigate. Anything else is clearly a
waste of everyone's time because you fail to illustrate that you were
attacked by something unknown.

The proper solution to a hacked box is to flatten it immediately,
re-install, and make sure to secure it per the basic tools that John gave --
MBSA, IIS Lockdown tool. Hacking IIS usually means that the user ran as
LocalSystem at some point, and they could have done ANYTHING to the
machine -- like plant a backdoor -- and you won't be able to detect it
(there are rootkits out there which do a good job intercepting system calls
such that you see what you want -- but it's not the real thing).

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Team Macromedia" <nospam@nospam.com> wrote in message
news:uvyhAi0bEHA.1356@TK2MSFTNGP09.phx.gbl...
Hey All,
We recently had one of our IIS servers hacked (not mission critical
server, so we were not too bothered) in which one of the sites default
document was either hacked or replaced with a file stating the following
: "SORRY ADMIN SPYKIDS OWNZ YOUR WINDOWS f*** you USA irc.brasnet.org
//j #SPY by guns_1 guns_1@linuxmail.org".
 From a Google search it seems that this guy/unit has peformed hacks
like these on other sites but I was wondering what and how it was
possible.... more of an explanation how it was done and what we could do
  to preven it (patching is obvioulsy a solution but actual cuase of the
hack is what I am after)  I did an audit of the machine and noticed that
all that was changed was the default.htm content (or it could have been
replaced) and the default.htm was the first in the list of Documents -
which it wasnt before...
NOTE: We were missing the following patches (not now!) :
KB823353
KB831167
KB870669
KB840315
KB842526
KB841873
KB841872
KB839643
KB839645
KB837001
KB832483
I can't see from the list above what if any of these patches would
prevent such an attack to the sites?  I also noticed that for some ISAPI
we had (all) in the verbs list which has now been corrected.   URL Scan
and IIS Lockdown have not been run on the machine in question but the
majority of the standard security checklists have been applied such as
.htr and parent paths have been applied...
Anyone know how or why a hack like this was possible?
Thanks

---

• Next message: Jay Murphy: "Re: Is there a tool that would allow clients to browse (directory listing style) and upload content to a WWW site?"
• Previous message: Kristofer Gafvert: "Re: IIS Simple Logs for customers?"
• In reply to: Team Macromedia: "IIS Hack : Anyone explain cause..."
• Next in thread: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
• Reply: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: IIS Hack : Anyone explain cause... ... it looks like you cleaned up the server -- if you care about security, ... Microsoft tries and mostly succeeds to release patches PRIOR to ... weeks/months/years prior to exploitation. ... > protected rant as we all know that IIS and indeed lots of software has ... (microsoft.public.inetserver.iis) Re: Security of IIS - Secure Intranet web site on SBS2003 box ... I guess a lot of those patches would be required anyway to ensure the HTTPS ... Because if IIS via HTTPS only is still not considered secure then surely the ... > to rebuild their server and return everything to normal. ... (microsoft.public.windows.server.sbs) Re: Open Ports....How to block them all....? ... > I keep it up to date with SP's and Patches but find that the server keeps ... Frequently this happens through an IIS ... Ways to secure your system are detailed at: ... (microsoft.public.inetserver.iis.security) Re: Open Ports....How to block them all....? ... >> What can be done to secure this server so that this doesn't keep> happening? ... Frequently this happens through an IIS> vulnerability. ... Installing Serv-U software typically involves a> person having the ability to remotely run commands and install files on your> system, ... > Remember that security is not just patches but also proper configuration and> third party hardening tools. ... (microsoft.public.inetserver.iis.security) [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ... (Securiteam)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)