Re: IIS Hack : Anyone explain cause...
anonymous_at_discussions.microsoft.com
Date: 07/25/04
- Next message: User: "FileSystemObject permissions"
- Previous message: Ken Schaefer: "Re: ADODB.Stream Problem with IIS6 and IE"
- In reply to: Patcher: "Re: IIS Hack : Anyone explain cause..."
- Next in thread: Paul Lynch: "Re: IIS Hack : Anyone explain cause..."
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 25 Jul 2004 06:28:20 -0700
Hee, hee! That's so funny and probably true! :-)
>-----Original Message-----
>Will do.....though he probably still lives with his Mom
so doesn't get
>much free time to have a code-fest
>
>;-)
>
>
>
>anonymous@discussions.microsoft.com wrote:
>> Hey Patcher,
>>
>> I'm glad you enjoyed and I agree with you about his
>> pictures!
>>
>> If you even get a chance to have a .NET showdown with
>> him, make sure to post on the Newsgroup so everyone
can
>> go! :-)
>>
>>
>>>-----Original Message-----
>>>Hee hee, I dont mind...he had his corrent points (such
>>
>> as lax security
>>
>>>on a server)..but let's be fair..I wasnt asking for
>>
>> alot...I know about
>>
>>>security..just I was not sure what caused our
breach....
>>>
>>>his picture speaks a thousands words though.... I
wonder
>>
>> just how much
>>
>>>techie stuff he does know....I would like see how good
>>
>> he is at
>>
>>>programming....maybe we can have a .NET showdown and I
>>
>> suppose anyone
>>
>>>can get MVP status by reading other writers Microsoft
>>
>> Press books.....
>>
>>>that pic's a classic....
>>>
>>>still laughing......
>>>
>>>
>>>
>>>anonymous@discussions.microsoft.com wrote:
>>>
>>>>No Jeff Cochran isn't part of MS, he's a MVP,
>>
>> Microsoft
>>
>>>>Most Valued Professional.
>>>>
>>>>http://www.microsoft.com/communities/MVP/MVP.mspx
>>>>
>>>>Check under IIS to see his picture and bio:
>>>>
>>>>Why was he given the title, no ideas... Most of his
>>>>posts are negative, condescending, and sometimes just
>>>>plain insulting!
>>>>
>>>>What I noticed is that most of the time, he asks for
>>>>further info but never go back to answer the post
once
>>>>the info has been posted...
>>>>
>>>>So, don't let him bother you, that's what I do. I
>>
>> just
>>
>>>>read his post and shake my head! :-)
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>Flattening the box is happening....so, get off your
>>
>> high
>>
>>>>horse...
>>>>
>>>>
>>>>>as I said, our systems are normally secure ..this
box
>>>>
>>>>was one that
>>>>
>>>>
>>>>>slipped through the net....we have **thousands** of
>>>>
>>>>servers around the
>>>>
>>>>
>>>>>world which are 100% secure in our organisation
(well
>>
>> as
>>
>>>>secure as the
>>>>
>>>>
>>>>>apps on them let us be)....We cleaned the machine
and
>>>>
>>>>ran foresnsics and
>>>>
>>>>
>>>>>came up with nada....
>>>>>
>>>>>We have taken the machine offline and are now
>>
>> rebuilding
>>
>>>>it as was
>>>>
>>>>
>>>>>suggested...
>>>>>
>>>>>And how one earth can you even tell I was not
>>
>> associated
>>
>>>>with MM - the
>>>>
>>>>
>>>>>same assumption I can make that you have nothing to
do
>>>>
>>>>with MS?
>>>>
>>>>
>>>>>I'm also not an admin..I am an
>>
>> engineer...unfortunately
>>
>>>>tasked with the
>>>>
>>>>
>>>>>tracing of how it happened at present....
>>>>>
>>>>>
>>>>>
>>>>>Jeff Cochran wrote:
>>>>>
>>>>>
>>>>>>On Sat, 24 Jul 2004 12:01:52 +0100, Team Macromedia
>>>>>><nospam@nospam.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>NOTE: normally our security is paramount.....
>>>>>>
>>>>>>
>>>>>>Last comment before I simply give up:
>>>>>>
>>>>>>No, your securtiy *isn't* paramount. If it truly
>>
>> was,
>>
>>>>when you found
>>>>
>>>>
>>>>>>Nimda you would flatten the box. Immediately.
Nimda
>>>>
>>>>can allow a
>>>>
>>>>
>>>>>>takover of your box through the installation of a
>>>>
>>>>rootkit or other
>>>>
>>>>
>>>>>>admin software, with very little chance you'd
detect
>>>>
>>>>it. Since you
>>>>
>>>>
>>>>>>hadn't patched this box and had a two-year-old
attack
>>>>
>>>>vector
>>>>
>>>>
>>>>>>compromise your system, you have to assume that you
>>
>> no
>>
>>>>longer have
>>>>
>>>>
>>>>>>full control. That is, if your security were
>>>>
>>>>paramount.
>>>>
>>>>
>>>>>>Look, the only reason I post is to try and help you
>>>>
>>>>avoid future
>>>>
>>>>
>>>>>>issues, and to prevent your compromised systems
from
>>>>
>>>>attacking mine.
>>>>
>>>>
>>>>>>If you choose to not follow my suggestions, then
you
>>>>
>>>>have to assume
>>>>
>>>>
>>>>>>responsibility for your choices. Obviously, in
spite
>>>>
>>>>of your
>>>>
>>>>
>>>>>>newsgroup handle, you're not associated with
>>>>
>>>>Macromedia, so you
>>>>
>>>>
>>>>>>probably present a very small risk in terms of
>>>>
>>>>attacking me. Just so
>>>>
>>>>
>>>>>>long as other admins learning the ropes don't
blindly
>>>>
>>>>take your course
>>>>
>>>>
>>>>>>of action without understanding potential
>>>>
>>>>repercussions.
>>>>
>>>>
>>>>>>Good luck.
>>>>>>
>>>>>>Jeff
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Team Macromedia wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Jeez...Apache...nah, i'll stick with IIS as on
this
>>>>
>>>>occasion it was our
>>>>
>>>>
>>>>>>>>security on this machine which was lacking.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>David Wang [Msft] wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>Personally, once a machine has been infected by
>>>>
>>>>Nimda, anyone could have
>>>>
>>>>
>>>>>>>>>been running on the box as administrator and do
>>>>
>>>>anything, including
>>>>
>>>>
>>>>>>>>>installing rootkits, keyboard sniffers, etc. It
>>>>
>>>>really does not
>>>>
>>>>
>>>>>>>>>matter if
>>>>>>>>>it looks like you cleaned up the server -- if
you
>>>>
>>>>care about security,
>>>>
>>>>
>>>>>>>>>you
>>>>>>>>>would flatten and rebuild this server
immediately
>>>>
>>>>since it has been
>>>>
>>>>
>>>>>>>>>compromised. Otherwise, please do not come
crying
>>
>> a
>>
>>>>month later
>>>>
>>>>
>>>>>>>>>saying that
>>>>>>>>>some rootkit installed on this machine sniffed
>>
>> your
>>
>>>>administrator
>>>>
>>>>
>>>>>>>>>password
>>>>>>>>>and someone broke into some OTHER server that
you
>>
>> DO
>>
>>>>care about -- if you
>>>>
>>>>
>>>>>>>>>even find out about this in a month.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Now, I have some counterpoint to your assessment
>>
>> of
>>
>>>>security.
>>>>
>>>>
>>>>>>>>>
>>>>>>>>>>to date virus scanning and b) being fully
>>>>
>>>>patched....but like all
>>>>
>>>>
>>>>>>>>>>patches..they are always released after the
>>>>
>>>>loophole has been
>>>>
>>>>
>>>>>>>>>>exploited...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Not true. Microsoft tries and mostly succeeds
to
>>>>
>>>>release patches
>>>>
>>>>
>>>>>>>>>PRIOR to
>>>>>>>>>exploitation. All the famous worms had proper
>>>>
>>>>patches released
>>>>
>>>>
>>>>>>>>>weeks/months/years prior to exploitation. The
>>>>
>>>>problem tends to be that
>>>>
>>>>
>>>>>>>>>users install the patches FAR later -- thus it
>>
>> only
>>
>>>>seems like patches
>>>>
>>>>
>>>>>>>>>are
>>>>>>>>>released after being exploited. We realize that
>>>>
>>>>there is often a
>>>>
>>>>
>>>>>>>>>legitimate
>>>>>>>>>reason for the lag, so we will hard to fix this
>>>>
>>>>issue. Of course, it is
>>>>
>>>>
>>>>>>>>>currently an arms race between hackers and
>>
>> software
>>
>>>>vendors on who
>>>>
>>>>
>>>>>>>>>wins an
>>>>>>>>>in-the-wild exploit, but people have to realize
>>
>> that
>>
>>>>software security is
>>>>
>>>>
>>>>>>>>>not just about software.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>problem....I do however disagree about the
whole
>>
>> if
>>
>>>>your patched your
>>>>
>>>>
>>>>>>>>>>protected rant as we all know that IIS and
indeed
>>>>
>>>>lots of software has
>>>>
>>>>
>>>>>>>>>>problems - IIS more than anything else has been
>>>>
>>>>plagued with errors and
>>>>
>>>>
>>>>>>>>>>bugs...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>I am not denying that prior to IIS6, IIS had a
lot
>>>>
>>>>of bugs which makes
>>>>
>>>>
>>>>>>>>>server maintenance a challenge, but people have
>>>>
>>>>certainly been able to
>>>>
>>>>
>>>>>>>>>run
>>>>>>>>>IIS5 successfully in large numbers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>this is why a whole host of patches have
recently
>>>>
>>>>been released
>>>>
>>>>
>>>>>>>>>>and with one on the way next week it does make
>>
>> you
>>
>>>>wonder how secure is
>>>>
>>>>
>>>>>>>>>>secure......maybe switching it off is the
safest
>>>>
>>>>bet....?
>>>>
>>>>
>>>>>>>>>
>>>>>>>>>Fact is, all software has errors and bugs;
servers
>>>>
>>>>that face the Internet
>>>>
>>>>
>>>>>>>>>has a special requirement in that errors can be
>>>>
>>>>remotely exploited and
>>>>
>>>>
>>>>>>>>>thus
>>>>>>>>>patches are required. No software is immune.
>>>>>>>>>
>>>>>>>>>Sure, you can try and run Apache with your
current
>>>>
>>>>standards -- and
>>>>
>>>>
>>>>>>>>>I'll bet
>>>>>>>>>that you will get hacked twice as fast since
>>
>> Apache
>>
>>>>is the most hacked
>>>>
>>>>
>>>>>>>>>and
>>>>>>>>>defaced server on the Internet and requires even
>>>>
>>>>more patches.
>>>>
>>>>
>>>>>>>>>Security depends on proper software, proper
>>>>
>>>>configuration, and proper
>>>>
>>>>
>>>>>>>>>education. The perfect software, if
>>
>> misconfigured,
>>
>>>>can be exploited.
>>>>
>>>>
>>>>>>>>>Even
>>>>>>>>>if you had perfect software AND it was perfectly
>>>>
>>>>configured, if someone
>>>>
>>>>
>>>>>>>>>leaves the door open to the server closet and
>>
>> tapes
>>
>>>>the administrator
>>>>
>>>>
>>>>>>>>>password on the monitor, can also be
exploited...
>>
>> so
>>
>>>>do not just focus on
>>>>
>>>>
>>>>>>>>>the software. Configuration (like patch
>>>>
>>>>application) and education
>>>>
>>>>
>>>>>>>>>are just
>>>>>>>>>as important to maintaining security, and the
>>>>
>>>>user/customer is
>>>>
>>>>
>>>>>>>>>responsible
>>>>>>>>>for doing this.
>>>>>>>>>
>>>>>>
>>>>>>
>>>>>.
>>>>>
>>>
>>>.
>>>
>.
>
- Next message: User: "FileSystemObject permissions"
- Previous message: Ken Schaefer: "Re: ADODB.Stream Problem with IIS6 and IE"
- In reply to: Patcher: "Re: IIS Hack : Anyone explain cause..."
- Next in thread: Paul Lynch: "Re: IIS Hack : Anyone explain cause..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
