-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Difficult to say without seeing some traffic traces, but I didn't see below in your security settings where the unused ISAPI filters were disabled? Obviously you'll need fpexedll.dll for Frontpage to work, but there are several other filters installed by default as well. http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=23817 Note that it should still be possible to run the IIS Lockdown Tool even with Frontpage Extensions enabled. I believe there is a setting in the tool that will allow the Extensions to function even though everything else is tightened. The rest of the details of your compromise are fairly common, and we've seen the same damage done in our test environment. Thanks, Jeff - -- Jeff Bollinger, CISSP University of North Carolina IT Security Analyst 105 Abernethy Hall mailto: jeff @unc dot edu Johnson, April wrote: | I'm an exceptionally unhappy admin (and perhaps a little embarassed as | well). At this point I'm assuming it's impossible to adequately secure | IIS server with Frontpage extensions? | | What the server had: | -Patched to SP3 + updates (on 7/1 I hadn't fully deployed SP4 yet). | -Frontpage Extensions | -Visibility to the internet on ports 80 and 443 | -Oubound access on all ports | -Norton Anti-virus with realtime protection and current definitions | -Non-admin users denied access to system folders | -RestrictAnonymous was set to 1 | -Indexing service was not active | -IIS sample apps and MSADC/Scripts directories were not present | -Parentpaths were disabled | | What the server did NOT have: | -The POSIX subsystem was not removed | -The IIS lockdown tool was not run | | | Rootkit/compromise components I've found so far (yes, I'm about to | format this box...) | -a service called 'Detector' that may be a "Serv-U" service | -a local user created named 'default' and placed in the Administrator's | group | -scripts found in the system32 subdirectory called script.bat and | script80.bat | *extracts from a bean.cab (and bean80.cab) file | *it created mschk.dll | *copies up files called drive.exe, drives.txt and syswdrv.dll to | look for warez drive space | -special subdirectories hidden in the recycler | | Hidden in the Serv-U.ini file is a registration key, and a username | DeVilRiDer; Serv-U was configured with a "look" user, a "chameleon" | user, and a "leech" user (not NT accounts, but within the app). | | Two TFTP files, TFTP1568, TFTP 1872. | | Other changes: | The Telnet services was started (although not visible to the outside) | | | That's about it. | At this point, I'm now formatting the box. | | Thoughts? Shall I give up on ever making a Frontpage Server visible to | the outside? I don't have the same level of problems on my Apache | servers, although compromise is still possible. | | April Johnson (CISSP, CCNP, MCSE) | apjohnsonat_private*nospam* | | "Give a kid a fish, and he eats for a day. Teach a kid to fish, and he | eats for a lifetime." | | | - ---------------------------------------------------------------------------- | Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the | world's premier technical IT security event! 10 tracks, 15 training sessions, | 1,800 delegates from 30 nations including all of the top experts, from CSO's to | "underground" security specialists. See for yourself what the buzz is about! | Early-bird registration ends July 3. This event will sell out. www.blackhat.com | - ---------------------------------------------------------------------------- | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQE/FVG0voVlxVBmgsURArx9AJdC9Rv7FqAZ2mUOkHYyBe8T2Nl2AJ9gV/PD 4FssadeYmoa1M8JlrTHNQw== =Ib8o -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 15:22:46 PDT