found items on a compromised system -- any ideas what they are?
Results 1 to 3 of 3

Thread: found items on a compromised system -- any ideas what they are?

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    found items on a compromised system -- any ideas what they are?

    Group -- anyone seen this?

    I was looking at a system that had a web-defacement. We could not figure out exactly how it was done. Before I got to the system, the administrators removed the defaced files and applied "about eight" (yes, eight) missing security patches. Admins claim everything locked down at the firewall and only allowing port 80...

    After the usual routine (virus scan, spyware check with 3 different utils, trojan scan, logs, etc.) I noticed a few files that had the date stamp for the day the system was hit. One included pagerror.gif that was actually a text file. It looks like it contains some kind of web authoring code, but I'm not sure. Here's the contents of the GIF:

    vti_encoding:SR|utf8-nl
    vti_timelastmodified:TR|03 Jun 1999 23:13:40 -0000
    vti_extenderversion:SR|4.0.2.4426
    vti_lastwidth:IX|0
    vti_lastheight:IX|0
    vti_cacheddtm:TX|03 Jun 1999 23:13:40 -0000
    vti_filesize:IR|2806
    vti_backlinkinfo:VX|

    Also, their was an iisstart.asp file that did not contain asp type data. Again, it had aurhoring type of info; here it is:

    vti_encoding:SR|utf8-nl
    vti_timelastmodified:TR|13 Nov 2004 19:58:25 -0000
    vti_extenderversion:SR|4.0.2.7802
    vti_filesize:IR|32
    vti_backlinkinfo:VX|
    vti_nexttolasttimemodified:TR|03 Jun 1999 23:13:40 -0000
    vti_author:SR|IUSR_MYSERVER
    vti_modifiedby:SR|IUSR_MYSERVER
    vti_timecreated:TR|13 Nov 2004 19:58:25 -0000
    vti_cacheddtm:TX|13 Nov 2004 19:58:25 -0000
    vti_cachedlinkinfo:VX|
    vti_cachedsvcrellinks:VX|
    vti_cachedhasbots:BR|false
    vti_cachedhastheme:BR|false
    vti_cachedhasborder:BR|false

    Any insight would be appreciated...

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    IIRC the vti_ prefix is used by frontpage (extensions).

    But I can recommend backing up the important data and reinstalling the server from original media (and applying all security fixes). There's no way to tell what else they may have modified/backdoored.

    I can also recommend doing an audit on the actual code of the website. I've seen it happen before, server completely patched, firewall in place and only allowing port 80. Then some sh*thead developer puts up a site with more holes in it then swiss cheese. Bang, you're dead
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    BTW if your not using frontpage (which i hope your not) remove the frontpage extentions. in some cases they can allow the editing of your site, including the uploading of new items even if the site was not made with FP.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •