Re: IIS Hack : Anyone explain cause...
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/24/04
- Next message: Jmac: "IIS 6.0 logging to oracle"
- Previous message: Alan: "weird ftp problem"
- In reply to: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Next in thread: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Reply: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 23 Jul 2004 18:21:32 -0700
Personally, once a machine has been infected by Nimda, anyone could have
been running on the box as administrator and do anything, including
installing rootkits, keyboard sniffers, etc. It really does not matter if
it looks like you cleaned up the server -- if you care about security, you
would flatten and rebuild this server immediately since it has been
compromised. Otherwise, please do not come crying a month later saying that
some rootkit installed on this machine sniffed your administrator password
and someone broke into some OTHER server that you DO care about -- if you
even find out about this in a month.
Now, I have some counterpoint to your assessment of security.
> to date virus scanning and b) being fully patched....but like all
> patches..they are always released after the loophole has been exploited...
Not true. Microsoft tries and mostly succeeds to release patches PRIOR to
exploitation. All the famous worms had proper patches released
weeks/months/years prior to exploitation. The problem tends to be that
users install the patches FAR later -- thus it only seems like patches are
released after being exploited. We realize that there is often a legitimate
reason for the lag, so we will hard to fix this issue. Of course, it is
currently an arms race between hackers and software vendors on who wins an
in-the-wild exploit, but people have to realize that software security is
not just about software.
> problem....I do however disagree about the whole if your patched your
> protected rant as we all know that IIS and indeed lots of software has
> problems - IIS more than anything else has been plagued with errors and
> bugs...
I am not denying that prior to IIS6, IIS had a lot of bugs which makes
server maintenance a challenge, but people have certainly been able to run
IIS5 successfully in large numbers.
> this is why a whole host of patches have recently been released
> and with one on the way next week it does make you wonder how secure is
> secure......maybe switching it off is the safest bet....?
Fact is, all software has errors and bugs; servers that face the Internet
has a special requirement in that errors can be remotely exploited and thus
patches are required. No software is immune.
Sure, you can try and run Apache with your current standards -- and I'll bet
that you will get hacked twice as fast since Apache is the most hacked and
defaced server on the Internet and requires even more patches.
Security depends on proper software, proper configuration, and proper
education. The perfect software, if misconfigured, can be exploited. Even
if you had perfect software AND it was perfectly configured, if someone
leaves the door open to the server closet and tapes the administrator
password on the monitor, can also be exploited... so do not just focus on
the software. Configuration (like patch application) and education are just
as important to maintaining security, and the user/customer is responsible
for doing this.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Team Macromedia" <nospam@nospam.com> wrote in message news:%23nEYqiOcEHA.2520@TK2MSFTNGP12.phx.gbl... Thanks David, But as noted it was an NIMDA virus on the machine which caused the problem....I do however disagree about the whole if your patched your protected rant as we all know that IIS and indeed lots of software has problems - IIS more than anything else has been plagued with errors and bugs...this is why a whole host of patches have recently been released and with one on the way next week it does make you wonder how secure is secure......maybe switching it off is the safest bet....? I am confident that all that affected the machine was the NIMDA and it's now clean.... We were luck this time, the virus was non-destructive and our global forensics team is on the case but it was our fault for not running a) up to date virus scanning and b) being fully patched....but like all patches..they are always released after the loophole has been exploited... David Wang [Msft] wrote: > If you never secured the server and now wonder why it was hacked -- I hope > you realize that it is an absolute waste of time to figure out now. If you > want digital forensics expertise, you probably should pay someone. Of the > missing patches, several allowed remote code execution with elevated > privileges -- any one of which could be trivially used to run simple > commands and commandeer your server. You do not need an IIS vulnerability > to deface a website -- any remotely exploitable vulnerability which offers > privileges will suffice. > > Thus, the only thing that is worth anyone's time is if you said that your > server is fully patched and locked down but STILL you get hacked -- that may > be interesting -- maybe it was weak security on your part, maybe it's a new > vulnerability -- we'd probably investigate. Anything else is clearly a > waste of everyone's time because you fail to illustrate that you were > attacked by something unknown. > > The proper solution to a hacked box is to flatten it immediately, > re-install, and make sure to secure it per the basic tools that John gave -- > MBSA, IIS Lockdown tool. Hacking IIS usually means that the user ran as > LocalSystem at some point, and they could have done ANYTHING to the > machine -- like plant a backdoor -- and you won't be able to detect it > (there are rootkits out there which do a good job intercepting system calls > such that you see what you want -- but it's not the real thing). >
- Next message: Jmac: "IIS 6.0 logging to oracle"
- Previous message: Alan: "weird ftp problem"
- In reply to: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Next in thread: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Reply: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
