fatal error ownz you! by the danz! -->plz help

[sascha44]

Hi All

I'm a sysadmin at our office here in switzerland, we're running a couple of webservers, and one of them has been hacked over this weekend by a brasil hacker group. They achieved to overwrite all of our index & default pages.

By this time i recovered the files but i still feel pretty awkful, because i have really no idea how they achieved doing that.

I checked the firewall and web logfiles but could not really see how they got access to the root files.

The webserver is running on a ms iis 5 & W2k Server. It is behind a watchguard firewall in the dmz. All patches (except the last one ) were installed.

I was surfing the web for more information, but beside some other hacked websites (some of them are still hijacked at this time) i could not find any useful information. I almost can't believe this, no one reported at this time some similar experiences; that's why i request your help now guys!

Please help me stuffing this leek!!

Many ThX in Advance

Sascha

[prodikal]

Hmm you running rpc ? there is a new sploit doing the rounds for that yet again ms0349 could have been unicode or double decode you patched against them ? maybe a site had front page enabled easy to take full control over a server there is so many ways to penetrate a iis server try going to fatal errors irc chan on brasnet /server irc.brasnet.org you will need to register an account on brasnet but they will more than likely tell you how they got in

[sascha44]

Thank you so far for your reply!

I'm not running rpc, and i installed all microsoft patches until now. I allready checked the unicode & double code vulnerabilities some time ago and i think i would be able to see some log entries regarding exploits..??

We have no frontpage extensions enabled either..

Well i ran the last ms update right now but i think it won't help to go to the brasnet irc cause i'm lacking profound spain vocabulary tho get some valuable informations:-)

Anyway i am still open to more input & advices..

Thx & Greetings

Sascha

[mark_boyle2002]

Do you have any trust relations set up to other machines ?

[sascha44]

Hi

there are no trusts anywhere, this is a standalone dedicated server with a ms sql-server 2000 and iis running on it.

[mark_boyle2002]

If you PM me the IP of said server I will take a look for any exploits.

Note : PM not post publically as guests on this site will prob beat me to it.

[jeffs72]

Excuse me, which version of watchguard are you using? A firebox or soho?

[mark_boyle2002]

On another note. Ever noticed how these Uber l33t haxors that manage to bypass your security and deface your web page have absolutely no HTML skill att all.

I mean have you ever seen a page defaced with anything decent ?

[prodikal]

Mark_Boyle:

EVIL ANGELICA'S Defacemnts are pretty decent and quite funny

[Tedob1]

there's also a new vuln in the front page extentions that would allow this im not sure what patch fixed it though. this has been in the past month. BTW this only requires the extentions be in place the website doesn't have to be made with it.