Re: IIS Hack : Anyone explain cause...
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/24/04
- Next message: Jeff Cochran: "Re: IIS port 80 closed???"
- Previous message: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- In reply to: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Next in thread: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Reply: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 24 Jul 2004 14:15:23 GMT
On Sat, 24 Jul 2004 12:01:52 +0100, Team Macromedia
<nospam@nospam.com> wrote:
>NOTE: normally our security is paramount.....
Last comment before I simply give up:
No, your securtiy *isn't* paramount. If it truly was, when you found
Nimda you would flatten the box. Immediately. Nimda can allow a
takover of your box through the installation of a rootkit or other
admin software, with very little chance you'd detect it. Since you
hadn't patched this box and had a two-year-old attack vector
compromise your system, you have to assume that you no longer have
full control. That is, if your security were paramount.
Look, the only reason I post is to try and help you avoid future
issues, and to prevent your compromised systems from attacking mine.
If you choose to not follow my suggestions, then you have to assume
responsibility for your choices. Obviously, in spite of your
newsgroup handle, you're not associated with Macromedia, so you
probably present a very small risk in terms of attacking me. Just so
long as other admins learning the ropes don't blindly take your course
of action without understanding potential repercussions.
Good luck.
Jeff
>Team Macromedia wrote:
>> Jeez...Apache...nah, i'll stick with IIS as on this occasion it was our
>> security on this machine which was lacking.
>>
>>
>>
>> David Wang [Msft] wrote:
>>
>>> Personally, once a machine has been infected by Nimda, anyone could have
>>> been running on the box as administrator and do anything, including
>>> installing rootkits, keyboard sniffers, etc. It really does not
>>> matter if
>>> it looks like you cleaned up the server -- if you care about security,
>>> you
>>> would flatten and rebuild this server immediately since it has been
>>> compromised. Otherwise, please do not come crying a month later
>>> saying that
>>> some rootkit installed on this machine sniffed your administrator
>>> password
>>> and someone broke into some OTHER server that you DO care about -- if you
>>> even find out about this in a month.
>>>
>>>
>>> Now, I have some counterpoint to your assessment of security.
>>>
>>>
>>>> to date virus scanning and b) being fully patched....but like all
>>>> patches..they are always released after the loophole has been
>>>> exploited...
>>>
>>>
>>>
>>> Not true. Microsoft tries and mostly succeeds to release patches
>>> PRIOR to
>>> exploitation. All the famous worms had proper patches released
>>> weeks/months/years prior to exploitation. The problem tends to be that
>>> users install the patches FAR later -- thus it only seems like patches
>>> are
>>> released after being exploited. We realize that there is often a
>>> legitimate
>>> reason for the lag, so we will hard to fix this issue. Of course, it is
>>> currently an arms race between hackers and software vendors on who
>>> wins an
>>> in-the-wild exploit, but people have to realize that software security is
>>> not just about software.
>>>
>>>
>>>> problem....I do however disagree about the whole if your patched your
>>>> protected rant as we all know that IIS and indeed lots of software has
>>>> problems - IIS more than anything else has been plagued with errors and
>>>> bugs...
>>>
>>>
>>> I am not denying that prior to IIS6, IIS had a lot of bugs which makes
>>> server maintenance a challenge, but people have certainly been able to
>>> run
>>> IIS5 successfully in large numbers.
>>>
>>>
>>>> this is why a whole host of patches have recently been released
>>>> and with one on the way next week it does make you wonder how secure is
>>>> secure......maybe switching it off is the safest bet....?
>>>
>>>
>>>
>>> Fact is, all software has errors and bugs; servers that face the Internet
>>> has a special requirement in that errors can be remotely exploited and
>>> thus
>>> patches are required. No software is immune.
>>>
>>> Sure, you can try and run Apache with your current standards -- and
>>> I'll bet
>>> that you will get hacked twice as fast since Apache is the most hacked
>>> and
>>> defaced server on the Internet and requires even more patches.
>>>
>>>
>>> Security depends on proper software, proper configuration, and proper
>>> education. The perfect software, if misconfigured, can be exploited.
>>> Even
>>> if you had perfect software AND it was perfectly configured, if someone
>>> leaves the door open to the server closet and tapes the administrator
>>> password on the monitor, can also be exploited... so do not just focus on
>>> the software. Configuration (like patch application) and education
>>> are just
>>> as important to maintaining security, and the user/customer is
>>> responsible
>>> for doing this.
>>>
- Next message: Jeff Cochran: "Re: IIS port 80 closed???"
- Previous message: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- In reply to: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Next in thread: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Reply: Team Macromedia: "Re: IIS Hack : Anyone explain cause..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
