I'm thinking that more than likely it was something like a Proxy server that was compromised and/or screwed, and that after 15 minutes it just reloaded the real page. Is there a proxy of any sort between clients and the server? Clarke, Paul [IT] writes: > Are you certain that your site was actually defaced and this wasn't a DNS > cache-poison attack or nameserver compromise that was pointing your server's > hostname to some other IP address? > > Rgds, > Paul > > -----Original Message----- > From: ricci [mailto:ricciat_private] > Sent: Saturday, September 08, 2001 1:24 AM > To: FORENSICSat_private > Subject: Special case in investigation > > > Hello All, > > I have just encountered a really special case where I think it may > be > really interesting for you all. I also hope that you can give me some clues. > > My site got attacked where the IIS 4.0 web site got defaced but it > returns > to normal within 15 minutes time. Really back to normal. No automatic tools > installed and no one performed the manual replacement of the web site. Also > no intrusion attempt trace can be found in the IIS log, firewall log and IDS > log. > > The IIS web server and NT 4.0 machine already patched and firewall > only > permit 80, 25 port to that machine. > > Basic search in directory cannot find any other file being modified > during > the suspected period of time. Only one web page being changed at that period > of time. > > BTW, is there any method the hacker can penetrate to the web site > and > attack the web which already been patched on IDA-IDQ, unicode and unicode > decode. In other words, there should be no obvious way the attacker can > upload the file. > > So is there anything I'm missing? Is there any tools that permit the > hacker > to attack my site? > > If a person really got into the site, can they remove particular > user ip > address from the IIS log? can he remove particular person's query from the > event log of NT? Can I confirm that the IIS log is reliable? > > If a user got the NT password, is that helpful to the attack over > port 80? > > Some of my admin suggested that time bomb may be used in this attack > cause > the web site returned to normal in less than 15 minutes without any trace. > Can we identify that? > > Can any one give me some suggestions and clues? Is there anything > I'm > thinking wrongly? > > Really an interesting case. > > Thanks. > > Ricci > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > --James ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 12:33:08 PDT