LinuXploit_crew hit my web server

Question

LinuXploit_crew hit my web server

We are starting an old Windows NT machine that is fully patched using IIS4.0.

Today we were struck by "linuXploit_crew", and they removed our sites for a minute or two. (fortunately, we quickly noticed the changes on the websites and fixed them within a few minutes after the attack).

However - after correcting the site, I was left with an attempt to find out HOW .

There are no changes in default.asp files in our FTP logs, and I do not see anything unusual for web logs. Any ideas on how to determine how they got there? We only have 3 ports open, FTP, HTTP, and HTTPS (21.80.443) on the Cisco firewall.

+4

windows iis

Grufftech 01 Oct '08 at 20:46

source share

5 answers

IIS 7 + .NET 3.5 SP1 should be a good update :)

0

Andrei Rînea Oct 2 '08 at 12:08

source share

They seem to be using some form of injection attack: see http://msdn.microsoft.com/en-us/library/bb355989.aspx?ppud=4

0

Rob Oct 14 '08 at 7:54

source share

A wide range of attacks is possible only through port 80. What applications do you use on the server? The number of holes to protect asp- and php is higher than the number of holes for OS / Server applications.

0

Roel Oct 14 '08 at 7:59

source share

Stay away from Windows NT class systems. IIS 7 may be ok for security, but the price is not up to standard. USE BSD instead of Linux or with Apache. Centos if Linux and OpenBSD if BSD my suggestions.

0

allan Sep 06 '09 at 3:01

source share

Joel Coehoorn · Accepted Answer · 2008-10-01T20:49:18+0000

NT / IIS4 no longer receives security updates. Any new exploits will remain unverified . Update time.

Once you “owned” enough to change your site, you can no longer trust your magazines - they could be “cleaned up” by an attacker.

LinuXploit_crew hit my web server

More articles: