This morning, I wrote about a message I received that said ===================== Message: Advert your eyes, you're in the presence of voxon. Be proud for voxon has hacked and owned your box. Indeed, it is true... voxon is god. ;] Foolish admin., secure your damn box. Nothing was damaged that can't be fixed in less than an hour. Peace, voxon ===================== I asked for help. Some of you wrote "No mystery....." Others wrote to tell me I should just take the box down and re-install the OS. Lots of you were very helpful and asked questions. 1. Did you look at the header of the message? Couldn't, because the webmaster forwarded the message and deleted it. My fault. I should have told him to save it. 2. Lots of folks asked if I was running Snort. This was an NT box. Sorry I didn't say that in the original message. 3. A few of you pointed me to the chkrootkit site www.chkrootkit.org -- it was a little help, but not quite what was needed. Although I did use it to determine that I was not rooted. 4. Finally, the clues piled up and slammed me in the face. MSADC and RDC or the folder traversal exploit. Sure enough, after investigating that directory I found the evidence. Stuff was written there and the MS security warnings said that would happen. Rain Forest Puppy did a good piece on this exploit http://project.honeynet.org/scans/scan14/rfp.html and I learned a lot about how it happens. 5. Some of you suggested fport -- good tool -- showed no unusual ports open -- so I assume no netcat or other backdoors. 6. I took a chance after learning that voxon was really v0x0n and after finding the website in my msadc directory and chatted with the guy on AIM. I learned a lot including a list of sites that were also hacked yesterday. I plan on contacting those admins and sharing my experience and fixes with them. Thanks to all who wrote me. In all I had 34 emails. I replied to some in response to good questions and a genuine desire to help. I thanked the rest. I'm one of two people responsible for maintaining 650 client machines and 14 servers. We have almost 1600 users and about 2500 pages in our web site. I manage IIS4, SQL, Exchange 5.5, Proxy (with CARP), RAS, and a lot of applications in a single domain (collapsed from four domains three years ago) three sit WAN configuration. We also manage the phone system (routed over PTP T1 with add/drop CSUs with our data and maintain the intercom systems at 7 buildings) It's a great job, lots of work, but I love it. I tell you the above because some of you may be wondering why didn't "this admin" close up the holes before putting the boxes online? We do what we can when we can. Security and anti-virus has been a huge part of my job in the last year and now, it looks like security is going to take center stage. By the way. An excellent tool for scanning Web servers was Webscan by David Litchfield. It gave excellent reports. http://www.cerberus-infosec.co.uk/cis.shtml Thanks again to the folks that run this excellent list and to those of you who helped me. Mark Challender Network Administrator Have you checked your IIS4 box for the RDS exploit?
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 07:27:33 PDT