Are you certain that your site was actually defaced and this wasn't a DNS cache-poison attack or nameserver compromise that was pointing your server's hostname to some other IP address? Rgds, Paul -----Original Message----- From: ricci [mailto:ricciat_private] Sent: Saturday, September 08, 2001 1:24 AM To: FORENSICSat_private Subject: Special case in investigation Hello All, I have just encountered a really special case where I think it may be really interesting for you all. I also hope that you can give me some clues. My site got attacked where the IIS 4.0 web site got defaced but it returns to normal within 15 minutes time. Really back to normal. No automatic tools installed and no one performed the manual replacement of the web site. Also no intrusion attempt trace can be found in the IIS log, firewall log and IDS log. The IIS web server and NT 4.0 machine already patched and firewall only permit 80, 25 port to that machine. Basic search in directory cannot find any other file being modified during the suspected period of time. Only one web page being changed at that period of time. BTW, is there any method the hacker can penetrate to the web site and attack the web which already been patched on IDA-IDQ, unicode and unicode decode. In other words, there should be no obvious way the attacker can upload the file. So is there anything I'm missing? Is there any tools that permit the hacker to attack my site? If a person really got into the site, can they remove particular user ip address from the IIS log? can he remove particular person's query from the event log of NT? Can I confirm that the IIS log is reliable? If a user got the NT password, is that helpful to the attack over port 80? Some of my admin suggested that time bomb may be used in this attack cause the web site returned to normal in less than 15 minutes without any trace. Can we identify that? Can any one give me some suggestions and clues? Is there anything I'm thinking wrongly? Really an interesting case. Thanks. Ricci ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 13:09:20 PDT