4

We run an old Windows NT Machine, fully patched running IIS4.0.

Today we were hit by "linuXploit_crew", and they took down our websites for a minute or two. (luckily we were quick to notice a change on the websites and fix it within minutes of the attack).

However -- After fixing the website, I'm left with trying to figure out HOW this happened.

Looking in our FTP Logs, there's no changes in our default.asp files, and I see nothing out of the ordinary for Web Logs. Any ideas on how to pinpoint how they got in? We've only got 3 ports open, FTP, HTTP, and HTTPS (21,80,443) on a Cisco Firewall.

Adam Bellaire
  • 108,003
  • 19
  • 148
  • 163
GruffTech
  • 51
  • 1
  • 4

5 Answers5

6

NT/IIS4 no longer get security updates. Any new exploits will remain unpatched. Time to upgrade.

Once you've been "owned" enough to change your site, you can't necessarily trust your logs anymore- they could have been "cleaned" by the attacker.

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
0

Stay away with Windows NT class systems. IIS 7 might be okay for security, but the price is not up to standard. USE BSD instead or Linux with Apache. Centos if Linux and OpenBSD if BSD my suggestions.

0

IIS 7 + .NET 3.5 SP1 should be a nice upgrade :)

Andrei Rînea
  • 20,288
  • 17
  • 117
  • 166
0

They appear to be using some form of Injection Attack: See http://msdn.microsoft.com/en-us/library/bb355989.aspx?ppud=4

0

A wide array of attacks are possible through just port 80. What applications are you running on the server? The number of asp- and php security holes is a magnitude higher than the number of OS/server application holes.

Roel
  • 19,338
  • 6
  • 61
  • 90