fatal error ownz you! by the danz! -->plz help
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: fatal error ownz you! by the danz! -->plz help

  1. #1
    Junior Member
    Join Date
    Dec 2003
    Posts
    7

    Question fatal error ownz you! by the danz! -->plz help

    Hi All

    I'm a sysadmin at our office here in switzerland, we're running a couple of webservers, and one of them has been hacked over this weekend by a brasil hacker group. They achieved to overwrite all of our index & default pages.

    By this time i recovered the files but i still feel pretty awkful, because i have really no idea how they achieved doing that.

    I checked the firewall and web logfiles but could not really see how they got access to the root files.

    The webserver is running on a ms iis 5 & W2k Server. It is behind a watchguard firewall in the dmz. All patches (except the last one ) were installed.

    I was surfing the web for more information, but beside some other hacked websites (some of them are still hijacked at this time) i could not find any useful information. I almost can't believe this, no one reported at this time some similar experiences; that's why i request your help now guys!

    Please help me stuffing this leek!!

    Many ThX in Advance

    Sascha

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    Hmm you running rpc ? there is a new sploit doing the rounds for that yet again ms0349 could have been unicode or double decode you patched against them ? maybe a site had front page enabled easy to take full control over a server there is so many ways to penetrate a iis server try going to fatal errors irc chan on brasnet /server irc.brasnet.org you will need to register an account on brasnet but they will more than likely tell you how they got in
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  3. #3
    Junior Member
    Join Date
    Dec 2003
    Posts
    7
    Thank you so far for your reply!

    I'm not running rpc, and i installed all microsoft patches until now. I allready checked the unicode & double code vulnerabilities some time ago and i think i would be able to see some log entries regarding exploits..??

    We have no frontpage extensions enabled either..

    Well i ran the last ms update right now but i think it won't help to go to the brasnet irc cause i'm lacking profound spain vocabulary tho get some valuable informations:-)

    Anyway i am still open to more input & advices..

    Thx & Greetings

    Sascha

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    Do you have any trust relations set up to other machines ?

  5. #5
    Junior Member
    Join Date
    Dec 2003
    Posts
    7
    Hi

    there are no trusts anywhere, this is a standalone dedicated server with a ms sql-server 2000 and iis running on it.

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    If you PM me the IP of said server I will take a look for any exploits.

    Note : PM not post publically as guests on this site will prob beat me to it.

  7. #7
    Member
    Join Date
    Aug 2003
    Posts
    69
    Excuse me, which version of watchguard are you using? A firebox or soho?

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    On another note. Ever noticed how these Uber l33t haxors that manage to bypass your security and deface your web page have absolutely no HTML skill att all.

    I mean have you ever seen a page defaced with anything decent ?

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    Mark_Boyle:

    EVIL ANGELICA'S Defacemnts are pretty decent and quite funny
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    there's also a new vuln in the front page extentions that would allow this im not sure what patch fixed it though. this has been in the past month. BTW this only requires the extentions be in place the website doesn't have to be made with it.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •