> My site got attacked where the IIS 4.0 web site got defaced but it returns to > normal within 15 minutes time. Really back to normal. Maybe you (the viewer) got hacked or tricked, and not your web server. > The IIS web server and NT 4.0 machine already patched and firewall(ed) How about all of the DNS servers for the site? And the routers along the way? And the DNS server your web browser used? And your web browser, and the computer it's running on? > BTW, is there any method the hacker can penetrate to the web site and attack > the web which already been patched on IDA-IDQ, unicode and unicode decode. In > other words, there should be no obvious way the attacker can upload the file. An incident a few years ago: Victim's web site was secure, but his DNS servers weren't. The cracker changed the web site's A record to point to another site where a "defacement" was already in place. Fortunately for the victim there were no changes to the DNS TTLs. > If a person really got into the site, can they remove particular user ip > address from the IIS log? can he remove particular person's query from the > event log of NT? Can I confirm that the IIS log is reliable? If someone compromises your machine, it will tell you whatever the cracker wants it to tell you. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 13:00:15 PDT