hi
someone was hacked my site
i have 2 servers :
web--> IIS 5 / w2k adv Srv IIS lockdown
sql--> SQL2k / w2k adv Srv

i found the web srv doing "beeps"
soon i found it serves html pages
but don't serves asp with an error like
"Error in the server application"

sql srv lost sa password
and don't recognize the local admin
then i can't access to sql applications

except of that,
servers appears to work normal

the web srv log is saying
that attacked the iwam_
and many "login misses" under DCOMSCM
and then, "login hits"

i go now to restore
my backup and images
but
what can i do to prevent the next attack ?
how can i protect better the site ?

thanks


--=20
atte,

i deploy
the "best practices"
according to MS
but it was not enough

what should i do now?

how can i secure the web server now ?



--=20
atte,
Hern=E1n=20


"Hern=E1n Castelo" <hcastelo@cedi.frba.utn.edu.ar> escribi=F3 en el =
mensaje news:%23GBjOhRXEHA.2636@TK2MSFTNGP10.phx.gbl...
hi
someone was hacked my site
i have 2 servers :
web--> IIS 5 / w2k adv Srv IIS lockdown
sql--> SQL2k / w2k adv Srv

i found the web srv doing "beeps"
soon i found it serves html pages
but don't serves asp with an error like
"Error in the server application"

sql srv lost sa password
and don't recognize the local admin
then i can't access to sql applications

except of that,
servers appears to work normal

the web srv log is saying
that attacked the iwam_
and many "login misses" under DCOMSCM
and then, "login hits"

i go now to restore
my backup and images
but
what can i do to prevent the next attack ?
how can i protect better the site ?

thanks


--=20
atte,

On Mon, 28 Jun 2004 11:03:54 -0300, Hernán Castelo
[quoted text, click to view]

See:

http://securityadmin.info/faq.asp#iis

IS THERE any way to determine
what kind of attack i received ???

thanks

--
atte,
Hernán Castelo
SGA - UTN - FRBA

"Jeff Cochran" <jeff.nospam@zina.com> escribió en el mensaje
news:40ec404c.270247315@msnews.microsoft.com...
[quoted text, click to view]