Recently one of my IIS boxes got rooted - all active sites were
defaced and more importantly the hackers managed to get access to some
databases which reside above website's roots (eg: website root is at
c:\web\html, and the db resides in c:\web\data).

In the logs the following info:
cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
cs-bytes time-taken
GET /database.mdb - 200 64 2679028 425 248891
GET /Default.htm - 200 0 360 362 0
GET /database.mdb - 206 0 4827107 484 530766

None of the above files existed then they suddenly appear there.

Win2k SP4, IIS5, urlscan is installed, directoy browsing is turned
off, no write permissions to the directories... Some sites have ssl
on.

[quoted text, click to view]

Well, you did say W2k Sp4 but you said nothing about how
current on post Sp4 patching.
That is the first idea.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4

well, it look like the mdb is at your rootpath - c:\web\html\
not sure how it get there, but it is there !

you can configure urlscan to filter .mdb extension. this will prevent direct
request to the file.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



[quoted text, click to view]

When your sites where defaced, the attacker must have had access to
something that allowed manipulation of the physical file system (else, how
could they have overwritten your webpages?). They may have used this access
to:
a) read your connections strings
b) determine where your databases where stored
c) copied those databases into your website's folders
d) requested the files (thus allowing them to download the databases)

As Bernard says, you can use URLScan.ini to filter out these requests
*however*, if they have sufficient privileges to the system via their hack,
they may be able to alter the urlscan.ini file to remove this block.

Cheers
Ken

[quoted text, click to view]
: Recently one of my IIS boxes got rooted - all active sites were
: defaced and more importantly the hackers managed to get access to some
: databases which reside above website's roots (eg: website root is at
: c:\web\html, and the db resides in c:\web\data).
:
: In the logs the following info:
: cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
: cs-bytes time-taken
: GET /database.mdb - 200 64 2679028 425 248891
: GET /Default.htm - 200 0 360 362 0
: GET /database.mdb - 206 0 4827107 484 530766
:
: None of the above files existed then they suddenly appear there.
:
: Win2k SP4, IIS5, urlscan is installed, directoy browsing is turned
: off, no write permissions to the directories... Some sites have ssl
: on.
:
: Anyone can shed some light what might have happened?