Re: CRIME hacked web server question

From: Alan (alan@private)
Date: Mon Dec 31 2001 - 13:16:46 PST

Previous message: Andrew Plato: "RE: CRIME hacked web server question"
In reply to: Crispin Cowan: "Re: CRIME hacked web server question"
Next in thread: Adam Lipson: "RE: CRIME hacked web server question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 31 December 2001 12:32, Crispin Cowan wrote:
> Unless you have an expert in security forensics, I would recomend that
> you fdisk that machine and restore from backup. Unless you were running
> something like tripwire and have a complete picture of the machine in a
> known-clean state, you have no way of knowing what back doors and
> trojans the attacker may have installed.

True. (This is what I get for posting before coffee...)

Most virus scan software will find the popular backdoor programs, but many 
can be altered to hide from such scans.

> And while you're fdisk'ing, dump IIS/Windows and get a real OS ;-)  Yes,
> I understand the business reasons why people choose to use windows. I
> also understand that most of the people who make those high level
> decisions aren't really aware of the hidden costs they impose on
> themselves when they do that.

if you have applications that need Windows DLLs., (I have run into a few 
obscure occasions when that is actually needed.) run Apache instead of IIS. 
There is a Windows version. It does not suffer from the bad design choices of 
IIS.  (Like running many parts with admin privileges.) Also, NT has a problem 
with "backreving" some configuration options to default when applying service 
patches.  After changing hardware and/or some software you have to go back 
and make sure that all patches and hotfixes are reapplied and reconfigured.  
(And reboot after each one!)  The downtime fot this process is NOT trivial.  
(Which is why most NT/IIS patches get put off until it is usually too late.)

But there are really few reasons to run Windows on a server box and NO reason 
to run IIS.  (The only reason i have had to run it was for one app that used 
NT DLLs to generate license keys for Citrix.)

Also, having web and FTP trees overlap is a bad idea.  It has been used to 
hack more than one machine. (Including Apache.org!)

>
> Crispin
>
> Adam Lipson wrote:
> >I have had someone come thru and post about 3gb of files on a webserver
> >running fully patched IIS and only port 80 and ftp allowed to access it.
> >The problem is the folders containing the files are names like ".   tagged
> >for nwa" and can't be deleted by windows/dos.  Does anyone know how to
> >delete these folders as I presume this may have happened to someone else
> > on the list.
> >
> >Thanks and happy new years!
> >Adam

Previous message: Andrew Plato: "RE: CRIME hacked web server question"
In reply to: Crispin Cowan: "Re: CRIME hacked web server question"
Next in thread: Adam Lipson: "RE: CRIME hacked web server question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:12 PDT