Ok, Now you may think your web server is the most secure on out there, but its not... If you use Windows IIS or Apache (or whatever else you use) may be revealing files/directorys without you knowing it...

*NOTE* This is NOT a hack faq, Its just a small tutorial im putting together to show people how insecure a webserver can be

Ok, Lets get started... In this tutorial we'll be using the best search engine around [www.google.com] for a few reasons:
a) Clean output, Easy to tell which server has notes on this exploit and which one is the actual bug....
b) Lotsa pages indexed....
c) all of the above

Ok, now for the actual footprinting....
Several search strings in google will find the default directorys for IIS

C:\Inetpub site:.com

That search will find all of the default IIS installations for .com's

TSWeb\default.htm

That one will search a web page that uses Terminal Server for Remote Access

The ones below are taken from [http://www.cgisecurity.com/papers/fi...ng-2.html#more]
"autoexec.bat"

This file is started by certain versions of windows every time at boot up.
Often times after an attacker has done what he wants with a box, he/she will install tools
to remove logs and any reference to an intrusion taking place. An attacker may modify this
file and insert commands into this file. Next time the machine is rebooted logs/traces can
be wiped and the attacker is home free. People running a web server on windows 95 and 98
will be affected by this problem. You should only be running a public web server on
NT/2000 with NTFS for security purposes if you plan on using a windows product.


"root.exe"

This is the backdoor left by Sadmin/IIS, Code Red, and Nimda worms. This backdoor is a
copy of cmd.exe renamed to root.exe and put inside the webroot. If an attacker or worm
has access to this file, you can bet your in trouble. Common directories this file
resides in are "/scripts/" and "/MSADC/".


"nobody.cgi 1.0 A free Perl script from VerySimple"

This is a cgi program, which was originally written to help provide admins with
a shell backdoor. It also has a hefty warning by the programmer explaining the dangers
of improperly using this program. This is now a popular backdoor used by attackers
to execute commands with the permission of the webserver. You really would be
surprised how often I see this popping up. Hanging in chat rooms I've seen 3
different occasions where people (unaware of each other) have used this script.
Oh and no I won't give you the link to this product.


"[drive-letter]:\WINNT\system32\LogFiles\"

This is the directory that contains the IIS server logs. An attacker may
attempt to view your logs via a web application hole. If you see a reference
to system32/LogFiles there is a good chance your system is already taken over.


"[drive-letter]:\WINNT\system32\repair\"

This is the directory that contains the backup password file on NT systems.
The file will either be named "sam._"(NT4) or "sam"(Win2k). If an attacker manages
to get a hold of this file then you're in for some real trouble.


Novell File systems
"[server-name]:SYSTEM:PUBLIC"

This is an example Novell file system. It may be possible an advanced attacker with
deep knowledge of Novell may try to view files remotely. Getting information such
as the intranet server name may not be too easy on the other hand.