I went to edit some files on my personal webserver (IIS5) and discovered 4 new files added 5/6/2001 3:20pm (5 hours ago) to every single subdirectory of my root directory (C:\Inetpub\) ... the 4 files are default.htm, default.asp, index.asp, index.htm...

While this did no damage to my existing data (I use ColdFusion - index.cfm matters and nothing else)... what worries should I have as a result of this, considering they were able to upload those 4 files? I'm sure this is some security risk for IIS. I have port 80 always open since I am running this webserver.

I thought it was funny at first because the damage was little, but thinking about the fact that they were able to get into here successfully through my Linksys firewall (with the exception of port 80)... it has me a bit worried about other security risks thru IIS and having this webserver on 24/7.

The other funny thing is that I am chinese myself and to think they got me too... **** chinese hackers http://www.sysopt.com/forum/smile.gif Oh you can see a sample of their handywork at http://members.nbci.com/_XMCM/rh71el2/temp/hacked.htm *****NOTE**** Profanity on the hack page******** -Mntsnow ... a sample file I copied to my NBCi.com account.


[This message has been edited by Mntsnow (edited 05-06-2001).]

http://news.cnet.com/news/0-1003-200-5812964.html?tag=owv see if that IIS 5 security hole will affect you....... http://www.sysopt.com/forum/frown.gif

The vulnerability affects only servers that have Internet printing turned on, the default setting with the software.


Time to check your patches

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321

Weere you running NTFS on your C drive? If so, did you restrict permissions to the IIS folders?

Oh...you should disable telnet service also.

Thats probably how they got in.

well, what I did, since it didn't indicate (on the day it was released) that it was for WIN2k PRO... was use their alternate way of patching which was removing some entry in the website properties... something about printing... this was done the night of May 1.

If M$ had indicated specifically that WIN2k PRO was one of those OSs affected, I would have simply downloaded and ran the patch provided. I wasn't going to install something that wasn't for my specific OS, even though they are similar. That technet webpage has since been updated to include WIN2k Pro... why it wasn't since day 1 is beyond my comprehension.

So in affect, yes, as of May 1, 2001, I believe I was patched... is this specifically the vulnerability they exploited to get into my machine today?

About Telnet... I don't think they're able to get in that way unless I have port 23 open, correct? I'm running the Linksys firewall/router which closes every port but 80 because of the webserver. Oh, the C: partition is FAT32.

I got a question, dumb as it may be, I would like to know.

How is a website hacked?..

I have a couple of the homepage types, and I'm reasonably sure nobody would waste their time hacking into these...but, I also maintain a site for a county, and durn it, somebody gave me fits last year. It was just a joke, I'm sure...somebody trying to tell me something...what, I'm not sure.

Here is what happened. I added a link to some data that was needed at this site. The next day, the link was gone...I said to myself, wth is going on here, I rechecked the page I had uploaded, and the link was there...so, I uploaded it again...in two hours, it was gone again!. I thought I was loosing my mind. I uploaded the page again, and two hours...gone again. This time, I uploaded the page...stuck with it and refreshed my browser every 5 minutes or so, and in about 1:40 minutes...it was replaced. I gave up for a few days...uploaded the page again, and its still there. Somebody was playing with me...but, how in the devil did they get past the password, and user name?. I can't change that on the counties site like I could with my sites...

Any clues?...

There's a lot of ways. It's not hard to monitor someone for clear text passwords, such as if you were connecting from the internet to log into the server.

Sometimes, people use simpleshare passwords instead of file system security, which would require either NTFS or a 3rd party program ( if using Win9x )

It's my belief that anyone running a webserver should use NTFS...you can totally control who has access even if they think they can get to the server.

About the linksys...are you sure the manufacturer did not put in a back door to get into the router in case you screw it up and cant reset it? It's been known to happen to a lot of hardware routers, as they were not designed with firewall as an important feature...because it is a consumer grade device. Real hardware firewalls cost bucks...and a simple home user ain't gonna get it for free.

I would imagine if you scanned all 65,000 ports (or whatever the actual number is) there would be some kinda hole somewhere.

Paul

How do you know it was Chinese that hacked you? Unless you are absolutely sure, I don't think you should accuse a group of people.

did you see the sample page I posted? the group it refers to makes it quite evident. that is, unless another group is taking the trouble to "frame" the chinese hacker group. Either way, that's not the point of my post. thanks for your concern.

All I'm saying is don't believe everything you read about a peice of equipment that cost less than $200 and is suppossed to be a router with built in hardware firewall...there are way into it you wouldnt know of.

Like one with the 3COM, all you have to do is connect a direct serial cable and press your keyboards escape key on power up to reset it...thats all...but thats not the only way in.

Here is a little utility to check to make sure your system has the correct updates. http://grc.com/pw/patchwork.htm

This is a little off topic, but I've been thinking about setting up a server in the future. It seems that Windows has more vunerabilities to exploit than *nix. Is it safer to go with a *nix server (with *nix being a general term for all Unix variations) than say WIN2K Advance Server?

hey bba if im not mistaken the linksys router if he locks himself out the only way is to reset the router by pressing a button for 5 seconds. resest everything to default.

Jason

yup, for what it's worth... the linksys locks down all ports by default. This includes all 1-65000 something of them. My only open port was 80 and nothing else.

I took a closer look and they were able to upload those 4 files into my C:\ directory, then everything sub to C:\Inetpub ... not inclusive of other directories like C:\WINNT, C:\temp, etc.

Very very strange... seems they had full access as the MS Technet article explains.

[This message has been edited by rh71 (edited 05-07-2001).]

Thanks for patchwork. I've been meaning to scan my system for trojans afterward. While it may not get every trojan in existence, it gives me some peace of mind after what happened.

If I were you I would download a portscanner, dial out to the inter net from a different machine with a modem rather then your broadband connection and scan the internet side of that router. Scan all 65K ports to see if there are any open. I have seen the linksys brand of router leave ports open, this was fixed with a firware upgrade for the router. I would also look into intrusion detection software to trak any attempts that are made on your server. This will help you track attempts to get into your server in the future.

My friend at work just told me about hacking into Linksys routers...it's not hard at all...the thing is almost wide open from the internet. You need to do any firmware upgrades out and set up NTFS on your server.

BTW: The Bloomberg TV news showed a guy who thought he was hacked by Chineese people...turns out the 'Chineese' stuff on his web page...well when translated by a pro translater was something like "bog bycicle fly go went spoon tomato cat" etc...clearly indicating it was done by jokesters trying to perpetrate a percieved chineese threat that is really nonexistant.

Yeah, if you have my IP, you can start attacking it obviously. The question is why would a hacker bother to attack a little guy like me running on a 24.x.x.x cable modem address (not even 24/7) when they could use their skill to do something for profit and such?

In short, why would they bother? While I'd like to believe what you're saying about the Linksys' vulnerabilities, I'll believe it when you can explain to me how to hack into it. Linksys hasn't released any new firmware since Dec. 2000. Aside from these IIS5 problems, I'm feeling pretty comfortable with my setup now. Do you have any idea how many vulnerabilities there are with Apache/Tomcat? Ouch.

About pointing the finger at the wrong people, the reference to PoizonBox just about gives it away. They want you to know who they are so they can get the "last laugh"... it was USA vs. China and PoizonBox IS the US. Would someone from the US want to do this sort of thing and curse at its own group? I don't think so. Could it be someone besides the US/China?... I don't think anyone else cares.

Appreciate the thoughts though.

[This message has been edited by rh71 (edited 05-09-2001).]

I have a W2K IIS5 server at home that was hit with the same exact html page. Those new html pages were placed in three locations.
You (and I) were probably hit by the SADMIND/IIS. It’s a worm that targets Sun Solaris OS servers. Once it has a Sun server it's scans specified IP ranges looking for IIS servers with the 7-month-old directory traversal vulnerability ( http://www.microsoft.com/technet/security/bulletin/MS00-078.asp ). In my case I recently added the FTP service to IIS but didn't re-apply all the service packs and hot fixes so I was at risk again.
Generally a router or firewall won't stop this type of attacks like this. These are problems with the IIS web server correctly handling data on port 80 (which routers/firewalls allow through).

I read that a significant number of that Solaris machines were compromised using this SADMIND exploit over the weekend and many sites were defacements. Presumably initiated by pro-Chinese activists due the html pages' content.


[This message has been edited by DVNT1 (edited 05-10-2001).]

Here's how to tell if you were exploited by the transversal directory flaw...

"Would an administrator be able to tell if someone had exploited the vulnerability on his server?

Yes. The IIS event log provides information that indicates when someone has tried to exploit the vulnerability. Just search the event log for a successful GET involving an URL that has the string “/../” anywhere in it. Requests like this should, by design, never succeed, so if you see one that did succeed, it means that someone exploited the vulnerability successfully. The next step is to see what the URL maps to. If it maps to a data file, it’s likely that the attacker read it. If it maps to an executable file, it’s likely that he ran it. "


copied from http://www.microsoft.com/technet/security/bulletin/fq00-078.asp

I got hit on Monday with the same Slogan and email address. BTW thanks for the info. I went back to the log and found this 128.118.176.136 x.x.x.x (my private ip) GET /scripts/root.exe
Get /winnt/system32/cmd.exe...
I then traced back to that ip address, the attach came from The Pennsylvania State of University. I don't know if they used it as a proxy. If not, then this attack came directly from inside, our brothers and sisters in United States...
As regards those two exe files, do you think it will affect my sytem. Please advise. Thanks!

Great info...

I don't think it'd be that easy to trace... they had to have covered their tracks... unless someone from PA is a very inexperienced "hacker"...

Even with those security patches from Microsoft, they can be stopped for further attack?

BTW anyone konws how to get network card interface in Windows 2000 Server? I tried to set up Checkpoint Firewall, but it kept asking for it... I know in NT you can use ipconfig, in Unix ifconfig -a and winipcfg in Windows 9.x. But what about in Windows 2000?

To ********, it is most likely only a Solaris server, located in PA, was taken by the worm. That server in PA could have easily been a Solaris server in anytown, USA that was infected by the worm. In other words the admin of the Solaris server in PA probably has/had no idea his server was attacking others.

After that infected Solaris server changed the web pages of 2000 IIS servers it would then infect any websites on the host Solaris server too.

buzzhd - the /winnt/system32/cmd.exe is a normal system file...the other I'm not sure about. Of course these *could* have been compromised to but it doesn't seem likely from what I can understand.
Getting the latest patches will prevent those known problems. No doubt more problems will be discovered later on though.

W2k = ipconfig and ipconfig /all should work

Thanks, DVNT1!
ipconfig works for Windows 2000, but it doesn't tell you the NIC interface, such as elx0, elnk31 etc. Any idea?

That's what I thought, PA could be attacked as well...

I just found where i got hit ERRRRRR
well time to go with RedHat

... or just run other webserver software like O'Reilly Website. We have had zero problems with it running an enterprise website at work. Better yet, run IBM Websphere http://www.sysopt.com/forum/wink.gif

[This message has been edited by rh71 (edited 05-11-2001).]

here is what I got off my logs for sunday...actually they didnt get the page to publish..I am Tech Support for an ISP and a customer called today to say the same thing happened to him.

*deleted* - I dont think you really want all that personal info on the web.....If you really Readly Really do then edit this post again AFTER my edit and post away. -Mntsnow

[This message has been edited by Mntsnow (edited 05-11-2001).]