Re: Patched IIS/frontpage host compromised 7-1-2003

From: John Leach (johnat_private)
Date: Wed Jul 16 2003 - 08:49:06 PDT

Next message: Kevin Patz: "Re: TROJAN: Symantec: New Serious Virus found. (fwd)"

Previous message: Christoph K: "Re: DNS Messages"
In reply to: Johnson, April: "Patched IIS/frontpage host compromised 7-1-2003"
Next in thread: Jeff Bollinger: "Re: Patched IIS/frontpage host compromised 7-1-2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi April, 

Could the box have been compromised in between updates, and not noticed
until now?

how was "visibility to the Internet" enforced?

My usual recommendation is to deny outbound access by default and open
only what's necessary (which at a guess wouldn't need to include TFTP
for example).

And maybe the backdoors and secret FTP servers are just better hidden on
your Apache servers ;)

It's important to find out how the host was compromised so you can
implement countermeasures and plug the holes.  Before formatting you
should take a copy of the hard drive, at the very least the internet
services logs.

John.

On Tue, 2003-07-15 at 22:28, Johnson, April wrote:
> I'm an exceptionally unhappy admin (and perhaps a little embarassed as
> well).  At this point I'm assuming it's impossible to adequately secure
> IIS server with Frontpage extensions?
> 
> What the server had:
> -Patched to SP3 + updates (on 7/1 I hadn't fully deployed SP4 yet).
> -Frontpage Extensions
> -Visibility to the internet on ports 80 and 443
> -Oubound access on all ports
> -Norton Anti-virus with realtime protection and current definitions
> -Non-admin users denied access to system folders
> -RestrictAnonymous was set to 1
> -Indexing service was not active
> -IIS sample apps and MSADC/Scripts directories were not present
> -Parentpaths were disabled
> 
> What the server did NOT have:
> -The POSIX subsystem was not removed
> -The IIS lockdown tool was not run
> 
> 
> Rootkit/compromise components I've found so far  (yes, I'm about to
> format this box...)
> -a service called 'Detector' that may be a "Serv-U" service
> -a local user created named 'default' and placed in the Administrator's
> group
> -scripts found in the system32 subdirectory called script.bat and
> script80.bat
> 	*extracts from a bean.cab (and bean80.cab) file
> 	*it created mschk.dll
> 	*copies up files called drive.exe, drives.txt and syswdrv.dll to
> look for warez drive space
> -special subdirectories hidden in the recycler
> 
> Hidden in the Serv-U.ini file is a registration key, and a username
> DeVilRiDer; Serv-U was configured with a "look" user, a "chameleon"
> user, and a "leech" user (not NT accounts, but within the app).
> 
> Two TFTP files, TFTP1568, TFTP 1872.
> 
> Other changes:
> The Telnet services was started (although not visible to the outside)
> 
> 
> That's about it.  
> At this point, I'm now formatting the box.
> 
> Thoughts?  Shall I give up on ever making a Frontpage Server visible to
> the outside?  I don't have the same level of problems on my Apache
> servers, although compromise is still possible.

-- 
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
   HTTP: http://www.johnleach.co.uk

application/pgp-signature attachment: This is a digitally signed message part

Next message: Kevin Patz: "Re: TROJAN: Symantec: New Serious Virus found. (fwd)"
Previous message: Christoph K: "Re: DNS Messages"
In reply to: Johnson, April: "Patched IIS/frontpage host compromised 7-1-2003"
Next in thread: Jeff Bollinger: "Re: Patched IIS/frontpage host compromised 7-1-2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 15:14:03 PDT