*chuckles* Yeah... Like I said - I'm also an embarassed admin - but I'm willing to own up to a problem, and do what I can to make sure it doesn't happen again. Ok - to summarize the questions so far - I did format the box, but I made a ghost image of the beast before I did so. When I get a chance - I'll probably rebuild it in an isolated lab where I can watch it more carefully. The web pages are being reposted to an Apache server that I don't have trouble with. Until I know what caused the problem, NO IIS boxes with Frontpage installed are going back on my network. My difficulties lie with the logs - my IIS logs were deleted, making it a bit more difficult to track precisely how it occurred. I do have a record of the account creation and group modifications in my security logs. Granted, I should perhaps archive my IIS logs out, so the only copy isn't sitting on the compromised host, but I'm not perfect, and I'll wager many of you don't archive out your IIS logs either (those that have them anyway). What I neglected to mention was that I have two other IIS boxes with the same configuration sans the Frontpage extensions, that did not show the same problems (irreglar services installed, additional admin userID's and missing log files). Thus my suspicion of Frontpage extensions. Per other questions: -Root.exe was not installed -The ONLY ports open to the box were 80 and 443 inbound. -I believe I was running version 1.3 of the extensions (I could never find 1.4, although I found mention of them). -I did have all the hotfixes and patches applied through June 15th. I run patch updates on a monthly schedule after I evaulate possible side effects on pilot boxes. -I do have a checklist that includes IISlockdown - but I didn't have enough experience with frontpage to quickly tune the urlscan function. I left it for later. Being lazy probably bit me in the backside. -Per removing the script maps - I'm not 100% sure if I got them all - I'll verify when I bring the ghost image back up in the lab. -I caught it in my monthly *.bat file scan that I do on all my exposed servers. Maybe it should be more than monthly. What I was hoping was that someone out there had experience with a Frontpage exploit - and could perhaps tell me what I missed. Gut feel - there's a buffer overflow exploit in there somewhere (since I didn't have URLscan running. Thanks, -April -----Original Message----- From: Johnson, April Sent: Tuesday, July 15, 2003 2:28 PM To: incidentsat_private Subject: Patched IIS/frontpage host compromised 7-1-2003 I'm an exceptionally unhappy admin (and perhaps a little embarassed as well). At this point I'm assuming it's impossible to adequately secure IIS server with Frontpage extensions? What the server had: -Patched to SP3 + updates (on 7/1 I hadn't fully deployed SP4 yet). -Frontpage Extensions -Visibility to the internet on ports 80 and 443 -Oubound access on all ports -Norton Anti-virus with realtime protection and current definitions -Non-admin users denied access to system folders -RestrictAnonymous was set to 1 -Indexing service was not active -IIS sample apps and MSADC/Scripts directories were not present -Parentpaths were disabled What the server did NOT have: -The POSIX subsystem was not removed -The IIS lockdown tool was not run Rootkit/compromise components I've found so far (yes, I'm about to format this box...) -a service called 'Detector' that may be a "Serv-U" service -a local user created named 'default' and placed in the Administrator's group -scripts found in the system32 subdirectory called script.bat and script80.bat *extracts from a bean.cab (and bean80.cab) file *it created mschk.dll *copies up files called drive.exe, drives.txt and syswdrv.dll to look for warez drive space -special subdirectories hidden in the recycler Hidden in the Serv-U.ini file is a registration key, and a username DeVilRiDer; Serv-U was configured with a "look" user, a "chameleon" user, and a "leech" user (not NT accounts, but within the app). Two TFTP files, TFTP1568, TFTP 1872. Other changes: The Telnet services was started (although not visible to the outside) That's about it. At this point, I'm now formatting the box. Thoughts? Shall I give up on ever making a Frontpage Server visible to the outside? I don't have the same level of problems on my Apache servers, although compromise is still possible. April Johnson (CISSP, CCNP, MCSE) apjohnsonat_private*nospam* "Give a kid a fish, and he eats for a day. Teach a kid to fish, and he eats for a lifetime." ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 15:52:51 PDT