tags:

views:

3830

answers:

6

We run an old Windows NT Machine, fully patched running IIS4.0.

Today we were hit by "linuXploit_crew", and they took down our websites for a minute or two. (luckily we were quick to notice a change on the websites and fix it within minutes of the attack).

However -- After fixing the website, I'm left with trying to figure out HOW this happened.

Looking in our FTP Logs, there's no changes in our default.asp files, and I see nothing out of the ordinary for Web Logs. Any ideas on how to pinpoint how they got in? We've only got 3 ports open, FTP, HTTP, and HTTPS (21,80,443) on a Cisco Firewall.

+6  A: 

NT/IIS4 no longer get security updates. Any new exploits will remain unpatched. Time to upgrade.

Once you've been "owned" enough to change your site, you can't necessarily trust your logs anymore- they could have been "cleaned" by the attacker.

Joel Coehoorn
Just to add to this, Windows server 2008 web edition is only about $350.
Chris Lively
But won't run on any hardware available at the same time NT4 was on sale.
Joel Coehoorn
+1  A: 

Yea -- unfortuantely i figured the same thing.

I'm aware that its "time to upgrade," unfortunately, my hands are tied, and its not an option.

GruffTech
Report to whoever's got your hands tied that this has happened, explain that you are vulnerable to being attacked again, and tell them that they're going to have to make it an option if they don't want it to keep happening.
Rob
I'm fairly sure it would be an option, if you explain to them that you're running ancient, unsupported, insecure software, and that this *will* happen again. Explain the damage that can be done to your company by a bad defacement.
David Precious
Also, explain that your server may now be completely compromised - if you don't know how they got in and what they did, it is possible your machine had a "rootkit" installed- giving them complete control of it any time they want, with almost no way for you to stop or even detect it.
Philip Rieck
Exactly how much downtime can you handle before your hands are no longer tied? 'Cause they will come back.
Chris Lively
I'd assume that the machine has a rootkit, simply because you can't really assume otherwise. I'd reinstall everything. Honestly!
Rich Bradshaw
brb, ownzoring Gruff's server.
Will
Its a race condition, either your hands will be untied or your company will die. Good Luck.
Kent Fredric
Upgrade not an option? But inviting crackers to own your site is? Because that's the option you choose by not upgrading.If you have just the slightest professional integrity, you will start looking for another job immediately!Seriously!
Martin Bøgelund
A: 

IIS 7 + .NET 3.5 SP1 should be a nice upgrade :)

Andrei Rinea
A: 

They appear to be using some form of Injection Attack: See http://msdn.microsoft.com/en-us/library/bb355989.aspx?ppud=4

A: 

A wide array of attacks are possible through just port 80. What applications are you running on the server? The number of asp- and php security holes is a magnitude higher than the number of OS/server application holes.

Roel
A: 

Stay away with Windows NT class systems. IIS 7 might be okay for security, but the price is not up to standard. USE BSD instead or Linux with Apache. Centos if Linux and OpenBSD if BSD my suggestions.