| Groups | Blog | Home |
iis security : Site Hacked
Seemed like there are some WEBDAV holes that allowed for this to happen.
To get arround it, go into IIS manager and for the site in question, make default.asp the only default content page. (provided of course default.asp is your home pages in your directories). [quoted text, click to view] "Andrea" <noreply@nospam.net> wrote in message news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it... > Hi, > some haker has hakered my site in my windows 2003 std with IIS. > The haker has copy 5 pages in each folder of my IIS sites. > The files are: > default.htm > default.html > index.asp > index.html > index.php > > I've a hardware firewall that's protects my server (SonicWALL PRO with > IPS) > Only the port TCP/80 is open. > > What can I do? > Where is my "hole"? > > thanks >
Was the machine fully up-to-date on patches from MS ?
What third-party things are installed (php, coldfusion, perl, etc) ? Did you have the Front Page server extensions installed ? Or did you perhaps have RCP over HTTP enabled ? What other machines are on your network within the SonicWall bounded area ? Are they fully healthy (and patched) and what access do those have expose to the outside ? [quoted text, click to view] "Andrea" <noreply@nospam.net> wrote in message news:F3g7i.12070$nT2.889@tornado.fastwebnet.it... > Hi, > I've think about this.... but the webdav protocol is not installed > !!!!!!!!!!!!!!!!!!!!!!! > > to get around I've changed the default web pages using random names. > > but it's not a "nice" ways... I wanna know where is the bug! > > > > "ace_away" <ace@away.com> wrote in message > news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl... >> Seemed like there are some WEBDAV holes that allowed for this to happen. >> >> To get arround it, go into IIS manager and for the site in question, make >> default.asp the only default content page. (provided of course >> default.asp is your home pages in your directories). >> >> >> >> "Andrea" <noreply@nospam.net> wrote in message >> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it... >>> Hi, >>> some haker has hakered my site in my windows 2003 std with IIS. >>> The haker has copy 5 pages in each folder of my IIS sites. >>> The files are: >>> default.htm >>> default.html >>> index.asp >>> index.html >>> index.php >>> >>> I've a hardware firewall that's protects my server (SonicWALL PRO with >>> IPS) >>> Only the port TCP/80 is open. >>> >>> What can I do? >>> Where is my "hole"? >>> >>> thanks >>> >> >> > >
Hi,
some haker has hakered my site in my windows 2003 std with IIS. The haker has copy 5 pages in each folder of my IIS sites. The files are: default.htm default.html index.asp index.html index.php I've a hardware firewall that's protects my server (SonicWALL PRO with IPS) Only the port TCP/80 is open. What can I do? Where is my "hole"? thanks
Hi,
I've think about this.... but the webdav protocol is not installed !!!!!!!!!!!!!!!!!!!!!!! to get around I've changed the default web pages using random names. but it's not a "nice" ways... I wanna know where is the bug! [quoted text, click to view] "ace_away" <ace@away.com> wrote in message news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl... > Seemed like there are some WEBDAV holes that allowed for this to happen. > > To get arround it, go into IIS manager and for the site in question, make > default.asp the only default content page. (provided of course default.asp > is your home pages in your directories). > > > > "Andrea" <noreply@nospam.net> wrote in message > news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it... >> Hi, >> some haker has hakered my site in my windows 2003 std with IIS. >> The haker has copy 5 pages in each folder of my IIS sites. >> The files are: >> default.htm >> default.html >> index.asp >> index.html >> index.php >> >> I've a hardware firewall that's protects my server (SonicWALL PRO with >> IPS) >> Only the port TCP/80 is open. >> >> What can I do? >> Where is my "hole"? >> >> thanks >> > >
[quoted text, click to view] "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:OQeZrCtoHHA.248@TK2MSFTNGP04.phx.gbl... > Was the machine fully up-to-date on patches from MS ? YESSS > What third-party things are installed (php, coldfusion, perl, etc) ? PHP > Did you have the Front Page server extensions installed ? NO > Or did you perhaps have RCP over HTTP enabled ? NO > What other machines are on your network within the SonicWall > bounded area ? 4 SERVERS ALL PACHED Are they fully healthy (and patched) and what > access do those have expose to the outside ? ALL PORT 80/TCP EXCEPT FOR > ONE THAT HAS THE 25-110-143 AND ANOTHER ONE THAT HAS 21 FOR FTP. > > "Andrea" <noreply@nospam.net> wrote in message > news:F3g7i.12070$nT2.889@tornado.fastwebnet.it... >> Hi, >> I've think about this.... but the webdav protocol is not installed >> !!!!!!!!!!!!!!!!!!!!!!! >> >> to get around I've changed the default web pages using random names. >> >> but it's not a "nice" ways... I wanna know where is the bug! >> >> >> >> "ace_away" <ace@away.com> wrote in message >> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl... >>> Seemed like there are some WEBDAV holes that allowed for this to happen. >>> >>> To get arround it, go into IIS manager and for the site in question, >>> make default.asp the only default content page. (provided of course >>> default.asp is your home pages in your directories). >>> >>> >>> >>> "Andrea" <noreply@nospam.net> wrote in message >>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it... >>>> Hi, >>>> some haker has hakered my site in my windows 2003 std with IIS. >>>> The haker has copy 5 pages in each folder of my IIS sites. >>>> The files are: >>>> default.htm >>>> default.html >>>> index.asp >>>> index.html >>>> index.php >>>> >>>> I've a hardware firewall that's protects my server (SonicWALL PRO with >>>> IPS) >>>> Only the port TCP/80 is open. >>>> >>>> What can I do? >>>> Where is my "hole"? >>>> >>>> thanks >>>> >>> >>> >> >> > >
The php is updated?
You might have an application level flaw in the serverside conent. [quoted text, click to view] "Andrea" <noreply@nospam.net> wrote in message news:bRt7i.12791$nT2.9663@tornado.fastwebnet.it... > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:OQeZrCtoHHA.248@TK2MSFTNGP04.phx.gbl... >> Was the machine fully up-to-date on patches from MS ? YESSS >> What third-party things are installed (php, coldfusion, perl, etc) ? >> PHP >> Did you have the Front Page server extensions installed ? NO >> Or did you perhaps have RCP over HTTP enabled ? NO >> What other machines are on your network within the SonicWall >> bounded area ? 4 SERVERS ALL PACHED > Are they fully healthy (and patched) and what >> access do those have expose to the outside ? ALL PORT 80/TCP EXCEPT FOR >> ONE THAT HAS THE 25-110-143 AND ANOTHER ONE THAT HAS 21 FOR FTP. >> >> "Andrea" <noreply@nospam.net> wrote in message >> news:F3g7i.12070$nT2.889@tornado.fastwebnet.it... >>> Hi, >>> I've think about this.... but the webdav protocol is not installed >>> !!!!!!!!!!!!!!!!!!!!!!! >>> >>> to get around I've changed the default web pages using random names. >>> >>> but it's not a "nice" ways... I wanna know where is the bug! >>> >>> >>> >>> "ace_away" <ace@away.com> wrote in message >>> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl... >>>> Seemed like there are some WEBDAV holes that allowed for this to >>>> happen. >>>> >>>> To get arround it, go into IIS manager and for the site in question, >>>> make default.asp the only default content page. (provided of course >>>> default.asp is your home pages in your directories). >>>> >>>> >>>> >>>> "Andrea" <noreply@nospam.net> wrote in message >>>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it... >>>>> Hi, >>>>> some haker has hakered my site in my windows 2003 std with IIS. >>>>> The haker has copy 5 pages in each folder of my IIS sites. >>>>> The files are: >>>>> default.htm >>>>> default.html >>>>> index.asp >>>>> index.html >>>>> index.php >>>>> >>>>> I've a hardware firewall that's protects my server (SonicWALL PRO with >>>>> IPS) >>>>> Only the port TCP/80 is open. >>>>> >>>>> What can I do? >>>>> Where is my "hole"? >>>>> >>>>> thanks >>>>> >>>> >>>> >>> >>> >> >> > >
PHP IS 4.4.4
I've read in the bugs solved by the 4.4.7 but nothing seems important for my case..... [quoted text, click to view] "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:%23FY4Y5NpHHA.3968@TK2MSFTNGP06.phx.gbl... > The php is updated? > You might have an application level flaw in the serverside conent. > > "Andrea" <noreply@nospam.net> wrote in message > news:bRt7i.12791$nT2.9663@tornado.fastwebnet.it... >> >> >> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message >> news:OQeZrCtoHHA.248@TK2MSFTNGP04.phx.gbl... >>> Was the machine fully up-to-date on patches from MS ? YESSS >>> What third-party things are installed (php, coldfusion, perl, etc) ? PHP >>> Did you have the Front Page server extensions installed ? NO >>> Or did you perhaps have RCP over HTTP enabled ? NO >>> What other machines are on your network within the SonicWall >>> bounded area ? 4 SERVERS ALL PACHED >> Are they fully healthy (and patched) and what >>> access do those have expose to the outside ? ALL PORT 80/TCP EXCEPT FOR >>> ONE THAT HAS THE 25-110-143 AND ANOTHER ONE THAT HAS 21 FOR FTP. >>> >>> "Andrea" <noreply@nospam.net> wrote in message >>> news:F3g7i.12070$nT2.889@tornado.fastwebnet.it... >>>> Hi, >>>> I've think about this.... but the webdav protocol is not installed >>>> !!!!!!!!!!!!!!!!!!!!!!! >>>> >>>> to get around I've changed the default web pages using random names. >>>> >>>> but it's not a "nice" ways... I wanna know where is the bug! >>>> >>>> >>>> >>>> "ace_away" <ace@away.com> wrote in message >>>> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl... >>>>> Seemed like there are some WEBDAV holes that allowed for this to >>>>> happen. >>>>> >>>>> To get arround it, go into IIS manager and for the site in question, >>>>> make default.asp the only default content page. (provided of course >>>>> default.asp is your home pages in your directories). >>>>> >>>>> >>>>> >>>>> "Andrea" <noreply@nospam.net> wrote in message >>>>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it... >>>>>> Hi, >>>>>> some haker has hakered my site in my windows 2003 std with IIS. >>>>>> The haker has copy 5 pages in each folder of my IIS sites. >>>>>> The files are: >>>>>> default.htm >>>>>> default.html >>>>>> index.asp >>>>>> index.html >>>>>> index.php >>>>>> >>>>>> I've a hardware firewall that's protects my server (SonicWALL PRO >>>>>> with IPS) >>>>>> Only the port TCP/80 is open. >>>>>> >>>>>> What can I do? >>>>>> Where is my "hole"? >>>>>> >>>>>> thanks >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > >
Andrea wrote on Sat, 2 Jun 2007 16:27:03 +0200:
[quoted text, click to view] > PHP IS 4.4.4 > > I've read in the bugs solved by the 4.4.7 but nothing seems important for > my case..... http://www.php.net/releases/4_4_7.php Are you saying that you consider none of those security fixes are important? Dan
Absolutely not!
what I say is that I don't see anything that could be related to my iusse! [quoted text, click to view] "Daniel Crichton" <msnews@worldofspack.com> wrote in message news:us1JUsrpHHA.3968@TK2MSFTNGP06.phx.gbl... > Andrea wrote on Sat, 2 Jun 2007 16:27:03 +0200: > >> PHP IS 4.4.4 >> >> I've read in the bugs solved by the 4.4.7 but nothing seems important for >> my case..... > > http://www.php.net/releases/4_4_7.php > > Are you saying that you consider none of those security fixes are > important? > > Dan >
Andrea wrote on Mon, 4 Jun 2007 22:01:45 +0200:
[quoted text, click to view] > Absolutely not! > what I say is that I don't see anything that could be related to my iusse! Injection or overflow vulnerabilities could be used to cause code to run on your server that you did not intend, so that covers a few of those fixes. The 3rd fix on the list covers a way to override the register_globals setting - this can be bad in that global variables can be overwritten using querystring or post values. However, while these are possibilities, I'd be more suspicious of the actual PHP code you have on the server. I myself was subject to a file replacement attack on my Debian/Apache2/PHP5 server recently due a flaw in phpBB2 combined with allowing remote file opening (where URLs could be opened as if they were local files, which I was using to pull data from some other servers) which allowed the attacker to load a remote file as local PHP code which then let them overwrite the config.php file for PHP-Nuke on my server. This is an application flaw, and no amount of security patches will stop something like this - the fix was to correct the phpBB2 code so that it didn't allow the path variable it was using to be overwritten from POST data, and I dumped the blocks that grabbed remote data (they were only a test anyway) and so was able to turn off the option in PHP to pull remote files. Dan
And the most nice is this one: "Fixed a remotely trigger-able buffer
overflow inside bundled libxmlrpc library" :) -- Yours faithfully, Vadim Maksimenko. [quoted text, click to view] "Daniel Crichton" <msnews@worldofspack.com> wrote in message
news:us1JUsrpHHA.3968@TK2MSFTNGP06.phx.gbl... > Andrea wrote on Sat, 2 Jun 2007 16:27:03 +0200: > >> PHP IS 4.4.4 >> >> I've read in the bugs solved by the 4.4.7 but nothing seems important for >> my case..... > > http://www.php.net/releases/4_4_7.php > > Are you saying that you consider none of those security fixes are > important? > > Dan > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |