linuXploit_crew hit my webserver.

views:

3830

answers:

+3 Q:

linuXploit_crew hit my webserver.

We run an old Windows NT Machine, fully patched running IIS4.0.

Today we were hit by "linuXploit_crew", and they took down our websites for a minute or two. (luckily we were quick to notice a change on the websites and fix it within minutes of the attack).

However -- After fixing the website, I'm left with trying to figure out HOW this happened.

Looking in our FTP Logs, there's no changes in our default.asp files, and I see nothing out of the ordinary for Web Logs. Any ideas on how to pinpoint how they got in? We've only got 3 ports open, FTP, HTTP, and HTTPS (21,80,443) on a Cisco Firewall.

+6 A:

NT/IIS4 no longer get security updates. Any new exploits will remain unpatched. Time to upgrade.

Once you've been "owned" enough to change your site, you can't necessarily trust your logs anymore- they could have been "cleaned" by the attacker.

Joel Coehoorn 2008-10-01 20:49:18

Just to add to this, Windows server 2008 web edition is only about $350.

Chris Lively 2008-10-01 21:20:08

But won't run on any hardware available at the same time NT4 was on sale.

Joel Coehoorn 2008-10-02 02:11:03

+1 A:

Yea -- unfortuantely i figured the same thing.

I'm aware that its "time to upgrade," unfortunately, my hands are tied, and its not an option.

GruffTech 2008-10-01 20:52:13

Report to whoever's got your hands tied that this has happened, explain that you are vulnerable to being attacked again, and tell them that they're going to have to make it an option if they don't want it to keep happening.

Rob 2008-10-01 21:03:08

I'm fairly sure it would be an option, if you explain to them that you're running ancient, unsupported, insecure software, and that this *will* happen again. Explain the damage that can be done to your company by a bad defacement.

David Precious 2008-10-01 21:04:41

Also, explain that your server may now be completely compromised - if you don't know how they got in and what they did, it is possible your machine had a "rootkit" installed- giving them complete control of it any time they want, with almost no way for you to stop or even detect it.

Philip Rieck 2008-10-01 21:06:21

Exactly how much downtime can you handle before your hands are no longer tied? 'Cause they will come back.

Chris Lively 2008-10-01 21:18:34

I'd assume that the machine has a rootkit, simply because you can't really assume otherwise. I'd reinstall everything. Honestly!

Rich Bradshaw 2008-10-14 08:02:15

brb, ownzoring Gruff's server.

Will 2008-11-05 21:21:44

Its a race condition, either your hands will be untied or your company will die. Good Luck.

Kent Fredric 2008-11-05 22:45:40

Upgrade not an option? But inviting crackers to own your site is? Because that's the option you choose by not upgrading.If you have just the slightest professional integrity, you will start looking for another job immediately!Seriously!

Martin Bøgelund 2009-05-05 07:07:02

IIS 7 + .NET 3.5 SP1 should be a nice upgrade :)

Andrei Rinea 2008-10-02 00:08:43

They appear to be using some form of Injection Attack: See http://msdn.microsoft.com/en-us/library/bb355989.aspx?ppud=4

2008-10-14 07:54:45

A wide array of attacks are possible through just port 80. What applications are you running on the server? The number of asp- and php security holes is a magnitude higher than the number of OS/server application holes.

Roel 2008-10-14 07:59:33

Stay away with Windows NT class systems. IIS 7 might be okay for security, but the price is not up to standard. USE BSD instead or Linux with Apache. Centos if Linux and OpenBSD if BSD my suggestions.

2009-09-06 03:01:58

ansaurus

tags:

views:

answers:

linuXploit_crew hit my webserver.

related questions