Re: [OT] IIS security

From: Matt Gibson (mattg_at_blueedgetech.ca)
Date: 05/25/04

Next message: David Copeland [MSFT]: "Re: Users not visible in 'Active Directory Users'"
Previous message: Dennis Comeau: "POP3 connector not receiving external mail"
In reply to: James Reather: "Re: [OT] IIS security"
Messages sorted by: [ date ] [ thread ]

Date: Tue, 25 May 2004 15:07:46 -0700

"James Reather" <james.news@reather.com> wrote in message
news:eWj0tFqQEHA.2468@tk2msftngp13.phx.gbl...
> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
> news:O6zhZ%23pQEHA.3012@TK2MSFTNGP09.phx.gbl...
> > *Raises Hand*
> >
> > Notice how it says they were attacked?
>
> Where does it say that?

Sorry, I should have been more specific. On the Daily-Dave mailing list,
from Dave Aitel of Immunitysec.com, it was said that "They found the
administration page and performed a SQL injection attack, allowing them to
manage the content of the section."

>
> > Through a web based administration
> > page, and then using SQL injection.
> >
> > That's got no effect on IIS security.
>
> "No effect" ...err... <shakes head> I suppose that insecure "web
based
> administration page" was running on a rogue Apache server, was it? ;-)
> Better still, perhaps the SQL database in question was actually MySQL?
:-)
> :-)
That's like saying that since one car was stolen becase the doors were
unlocked, all cars are vulnerable. They got hacked because someone wrote
sloppy code. They did not get hacked because of a problem in IIS.
>
> I suppose we could sum it up like this: if Microsoft's MSPress division
> can't keep their IIS servers secure, what makes you think *you're* so much
> more capable? Better be sure of yourself before you stick your head above
> the parapet...

Actually, I do think I'm more capable than the people who set that one up.
There are no scripts that run on my site and I don't parse content like they
did. Ergo, I'm not succeptble to the same flaws that got them hacked.
>
> James
>
>

Next message: David Copeland [MSFT]: "Re: Users not visible in 'Active Directory Users'"
Previous message: Dennis Comeau: "POP3 connector not receiving external mail"
In reply to: James Reather: "Re: [OT] IIS security"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Disturbing Post About Muslims
... Attack on the Munich Airport, February 10, 1970: ... three IRA car bomb attacks in the village of Claudy left six dead. ... from Athens to Malta and carrying several U.S. citizens was hijacked by the ... The kidnappers released the Venezuelan pilot on 22 February. ...
(rec.scuba)
Re: Who to blame for Islamophobia
... BAGHDAD -- A suicide car bomber attacked a crowded market in oil-rich ... In Basra, the country's second-biggest city, the suicide car bomb exploded ... The attack came one day after Jordanian-born terrorist mastermind Abu Musab ... Foreign Ministry said in a statement. ...
(soc.culture.usa)
{NZ} Laughing killers run down pleading woman
... The reports of the brutal attack on the woman early yesterday prompted ... a police search for her across Christchurch that ended when a bound ... A shocked Chester Street East resident said she could not believe what ... "I heard a car and screaming and laughter. ...
(alt.true-crime)
MP-Ex CM N Janaradhan Reddy escape landmine blast in Nellore India
... his wife the provincial state minister in early hours today by land ... mine blast left the couple unhurt but the other car came under attack ... device en route of former Chief Minister N Janaradhan Reddy and his ...
(soc.culture.indian.delhi)
Re: EyebalL....l eyeball.....
... Is it a crime now for people to pass your house to go to a public bar ... You bought whipped cream from Morrisons and poured it over your car ... your house and people have better things to do than slag and attack you ... Imagine going to these extremes to slag people off i give up on you ...
(uk.radio.amateur)