('binary' encoding is not supported, stored as-is) > Hello All, > > I have just encountered a really special case where I think it may be > really interesting for you all. I also hope that you can give me some clues. > > My site got attacked where the IIS 4.0 web site got defaced but it returns > to normal within 15 minutes time. Really back to normal. No automatic tools > installed and no one performed the manual replacement of the web site. Also > no intrusion attempt trace can be found in the IIS log, firewall log and IDS > log. > > The IIS web server and NT 4.0 machine already patched and firewall only > permit 80, 25 port to that machine. You should check the software that is accessible through your webserver (ColdFusion, iisadmin & iissamples, etc). Even if you have iis fully patched, those applications also have vulnerabilities, and you should check if those are also patched. You should also check the patches for smtp (port 25). Smtp also have vulnerabilities. > > Basic search in directory cannot find any other file being modified during > the suspected period of time. Only one web page being changed at that period > of time. > > BTW, is there any method the hacker can penetrate to the web site and > attack the web which already been patched on IDA-IDQ, unicode and unicode > decode. In other words, there should be no obvious way the attacker can > upload the file. There are more vulnerabilities beside those one, but if you have patched against those, I assume that all the others are patched. > So is there anything I'm missing? Is there any tools that permit the hacker > to attack my site? > > If a person really got into the site, can they remove particular user ip > address from the IIS log? can he remove particular person's query from the > event log of NT? Can I confirm that the IIS log is reliable? Yes, they can change the Logs, if they have permissions to them. Check the file permissions to directory and files. > > If a user got the NT password, is that helpful to the attack over port 80? Yes, it is, and for port 25 (smtp) also ;) > Some of my admin suggested that time bomb may be used in this attack cause > the web site returned to normal in less than 15 minutes without any trace. > Can we identify that? You should check the services running in your system to see if you detect something strange, for example. > Can any one give me some suggestions and clues? Is there anything I'm > thinking wrongly? Hmm, you should check the entries in the firewall, not only for suspicious accesses, but also for some sort of access. About the IDS software, i don't know what software you're using, but the recently discovered bug (%u) that prevents the IDS software from detecting known signatures could be the solution. Check IDS software patches. You should also consider the fact that this could be an inside job... You should think in a full forensic analisys and a security and penetration audit. If the webserver was in fact compromised, the hacker surely left backdoors in it. Powerslave "Some men see things as they are, and say 'Why'? I see things that never were, and say 'Why not'?" > Really an interesting case. > > Thanks. > > Ricci > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- Crie o seu email gratuito no mail.pt http://www.mail.pt ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 12:57:50 PDT