November 17th, 2004, 02:04 PM
found items on a compromised system -- any ideas what they are?
Group -- anyone seen this?
I was looking at a system that had a web-defacement. We could not figure out exactly how it was done. Before I got to the system, the administrators removed the defaced files and applied "about eight" (yes, eight) missing security patches. Admins claim everything locked down at the firewall and only allowing port 80...
After the usual routine (virus scan, spyware check with 3 different utils, trojan scan, logs, etc.) I noticed a few files that had the date stamp for the day the system was hit. One included pagerror.gif that was actually a text file. It looks like it contains some kind of web authoring code, but I'm not sure. Here's the contents of the GIF:
vti_timelastmodified:TR|03 Jun 1999 23:13:40 -0000
vti_cacheddtm:TX|03 Jun 1999 23:13:40 -0000
Also, their was an iisstart.asp file that did not contain asp type data. Again, it had aurhoring type of info; here it is:
vti_timelastmodified:TR|13 Nov 2004 19:58:25 -0000
vti_nexttolasttimemodified:TR|03 Jun 1999 23:13:40 -0000
vti_timecreated:TR|13 Nov 2004 19:58:25 -0000
vti_cacheddtm:TX|13 Nov 2004 19:58:25 -0000
Any insight would be appreciated...
November 17th, 2004, 02:25 PM
IIRC the vti_ prefix is used by frontpage (extensions).
But I can recommend backing up the important data and reinstalling the server from original media (and applying all security fixes). There's no way to tell what else they may have modified/backdoored.
I can also recommend doing an audit on the actual code of the website. I've seen it happen before, server completely patched, firewall in place and only allowing port 80. Then some sh*thead developer puts up a site with more holes in it then swiss cheese. Bang, you're dead
Experience is something you don't get until just after you need it.
December 23rd, 2004, 06:05 PM
BTW if your not using frontpage (which i hope your not) remove the frontpage extentions. in some cases they can allow the editing of your site, including the uploading of new items even if the site was not made with FP.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”