Sigh....got hacked...&#$% Chinesse

[LePaul]

No real damage, just a pain in the arse to go repair.  Inflitrated a hole in Microsoft IIS 4.0 (now plugged)and in about 6 sites I have, uploaded "default.htm , index.htm, default.asp" and a few others I dont recall off hand.

If you want to see what they did, check
 www.checksix.net/default.asp

Dunno how I, up here in the boonies of Maine, became a target.  But the firewall did track an impressive amount of data on them so we notified the FBI and they are meeting with us at 2pm.  Not much can be done, the attack came from China and with things the way they are, all we can do is know that is how things are and if anything, the hackers in China are being patted on the back for their actions (Wong Way is a Revolutionary Hero now, too).

If you run servers on the net, especially Microsoft ones, as hard as it is, find those hot fixes and get them in place.  We use BlackIce for a firewall and it did an impressive job nabbing a lot of information about the HTTP attack.

Sadly, just a little reminder that the world we live in is a global one, and if the politics go south, expect annoying assaults like these.  




------------------
Paul J. Busiere

Aces High Arena handle:  BD5Pilot
 http://bd5.checksix.net
BD-5 "T" (TurboProp) 90% complete, first flight in 2001 (We hope!)

[Ripsnort]

Don't forget, US hackers cast the first stone the day that plane was forced down.

[Staga]

Better not click that link; My Virus-shield jumped up right after I clicked it.

[LePaul]

Must not like anything ASP then

You can also see it at www.checksix.net/bappe

As to the first stone, I could care less.  I havent, and wouldnt, hack anyone.  Im just a victim because of where I am.  I'm plenty pissed what happened and Ill be glad to blame US and Chinesse hackers equally...but it wasnt the US ones that attacked me.



------------------
Paul J. Busiere

Aces High Arena handle:  BD5Pilot
 http://bd5.checksix.net
BD-5 "T" (TurboProp) 90% complete, first flight in 2001 (We hope!)

[Skuzzy]

LePaul,..you may want to bookmark this site and check it once a month or so:
 http://www.cert.org/



------------------
Roy "Skuzzy" Neese
President, AppLink Corp.
http://www.applink.net
skuzzy@applink.net

[LePaul]

 

Originally posted by Skuzzy:
LePaul,..you may want to bookmark this site and check it once a month or so:
 http://www.cert.org/

Thank you, already got that one.

I was able to contact a Microsoft staffer who was pretty helpful.  NT/IIS doesn't have a nice "Windows Update" button so you can see and download the latest security fixes.  You have to literally hunt these things down and hope they are approved, not "use at your own risk" kinda things where they offer no support on them either.

Isnt Microsoft fun  



------------------
Paul J. Busiere

Aces High Arena handle:  BD5Pilot
 http://bd5.checksix.net
BD-5 "T" (TurboProp) 90% complete, first flight in 2001 (We hope!)

[Staga]

Screenshot which is taken when I clicked that link:

 

[Saintaw]

Ouch Paul, that hurt  

Security is a nightmare (Bit less on Linux, but it's more squeaky to configure   )

Staga, if one day, I need a lawyer....  

Saw
[Mass]

[Dinger]

nice bookmarks staga.

[Ripsnort]

Nice bookmarks, but whats that other language, looks...like...Arabic?  

[RebootSequence]

Hey the same guy got one of our client's sites that I worked on.  I fixed it but its on their own server so I'm not sure if they fixed the hole.. could you email me privately with details of how they got in and (more important) how to fix it?
Thanks.

-sequence

[LePaul]

Hi there, well, I am opting to post how they got in and how to fix public, so anyone here can fix their servers, if need be.

They got in through an HTTP Attack, as BlackIce Firewall monitored it.  They exploited a “Web Server Folder Traversal” Vulnerability is Microsoft IIS 4.0 (applies to IIS 5.0 too).  Without going into a huge amount of detail on the flaw in Microsoft IIS, here in the Security Bulletin Page, which links to the patch you can download and install for both IIS 4 and 5
 http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

Basic, they used the address line to copy their files into my webserver folders and also in each subfolder below.  In my case, they only hit the main folder and 5 subfolders.  The files they copied into there were:

index.htm
default.htm
default.asp
index.asp  

For some reason, in my case, their attempts to overwrite default.htm only worked on 2 of the 5 folders.  But, those pages I had with default.htm have been destroyed....thankfully nothing import, just my tribute pages to Airwolf and The A-Team (wouldnt I like to hire THOSE guys right now!).

What you wanna do, and this is a pain in the arse, is get on the Microsoft TechNet listserver for security updates, and try to stay up to date with bugfixes and security fixes.

As to Linux vs IIS/Microsoft, both are victims.  Our Linux DNS servers have been invaded twice, both times holes in BIND (ADMROCKS attacks)...and this is our 2nd big breach thru IIS.  So, neither is inpenetrable...so now isnt the time to say whose servers are better...both perform splendidly if one stays in the loop with notices of bugs and fixes.

Asides that, update the firewall software weekly and do the same for your antivirus software.  We had a guy from russia breach our system to copy backorfice once...while he did get in, the minute he uploaded backorfice, Norton AntiVirus automatically quarintined the file and made it off limits, fouling that hackers attempt.

Be loaded for bear, cuz not all the neighbors play nice.



------------------
Paul J. Busiere

Aces High Arena handle:  BD5Pilot
 http://bd5.checksix.net
BD-5 "T" (TurboProp) 90% complete, first flight in 2001 (We hope!)

[LePaul]

<punt>

So all you Network Admins see how we got compromised...and make sure your stuff is up to par    



------------------
Paul J. Busiere

Aces High Arena handle:  BD5Pilot
 http://bd5.checksix.net
BD-5 "T" (TurboProp) 90% complete, first flight in 2001 (We hope!)