Re: IIS Hack : Anyone explain cause...

From: Team Macromedia (nospam_at_nospam.com)
Date: 07/23/04

• Next message: T. Watson: "Re: Mail stuck in queue folder"
• Previous message: Kristofer Gafvert: "Re: Mail stuck in queue folder"
• In reply to: David Wang [Msft]: "Re: IIS Hack : Anyone explain cause..."
• Next in thread: David Wang [Msft]: "Re: IIS Hack : Anyone explain cause..."
• Reply: David Wang [Msft]: "Re: IIS Hack : Anyone explain cause..."
• Reply: Paul Lynch: "Re: IIS Hack : Anyone explain cause..."
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 23 Jul 2004 20:10:10 +0100

Thanks David,

But as noted it was an NIMDA virus on the machine which caused the
problem....I do however disagree about the whole if your patched your
protected rant as we all know that IIS and indeed lots of software has
problems - IIS more than anything else has been plagued with errors and
bugs...this is why a whole host of patches have recently been released
and with one on the way next week it does make you wonder how secure is
secure......maybe switching it off is the safest bet....?

I am confident that all that affected the machine was the NIMDA and it's
now clean....

We were luck this time, the virus was non-destructive and our global
forensics team is on the case but it was our fault for not running a) up
to date virus scanning and b) being fully patched....but like all
patches..they are always released after the loophole has been exploited...

David Wang [Msft] wrote:
> If you never secured the server and now wonder why it was hacked -- I hope
> you realize that it is an absolute waste of time to figure out now. If you
> want digital forensics expertise, you probably should pay someone. Of the
> missing patches, several allowed remote code execution with elevated
> privileges -- any one of which could be trivially used to run simple
> commands and commandeer your server. You do not need an IIS vulnerability
> to deface a website -- any remotely exploitable vulnerability which offers
> privileges will suffice.
>
> Thus, the only thing that is worth anyone's time is if you said that your
> server is fully patched and locked down but STILL you get hacked -- that may
> be interesting -- maybe it was weak security on your part, maybe it's a new
> vulnerability -- we'd probably investigate. Anything else is clearly a
> waste of everyone's time because you fail to illustrate that you were
> attacked by something unknown.
>
> The proper solution to a hacked box is to flatten it immediately,
> re-install, and make sure to secure it per the basic tools that John gave --
> MBSA, IIS Lockdown tool. Hacking IIS usually means that the user ran as
> LocalSystem at some point, and they could have done ANYTHING to the
> machine -- like plant a backdoor -- and you won't be able to detect it
> (there are rootkits out there which do a good job intercepting system calls
> such that you see what you want -- but it's not the real thing).
>

• Next message: T. Watson: "Re: Mail stuck in queue folder"
• Previous message: Kristofer Gafvert: "Re: Mail stuck in queue folder"
• In reply to: David Wang [Msft]: "Re: IIS Hack : Anyone explain cause..."
• Next in thread: David Wang [Msft]: "Re: IIS Hack : Anyone explain cause..."
• Reply: David Wang [Msft]: "Re: IIS Hack : Anyone explain cause..."
• Reply: Paul Lynch: "Re: IIS Hack : Anyone explain cause..."
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint