Welcome to the HackIIS6.com Contest! Beginning May 2nd and running until June 8th, this server (located at http://www.hackiis6.com) will welcome hackers to attack it. If you are the first person to deface the Web site or capture the "hidden" document, you win an X-box! Read the contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site. For the most part, almost anything reasonable constitutes a successful attack except for a massive network denial of service (DoS) attack against the Internet Information Services (IIS) 6.0 box or its host provider. We want to test the security of Windows Server 2003, IIS, and other Microsoft applications. So, please, respect this rule of the contest so everyone can have a chance at claiming the prize. Contest Summary We are starting the contest with the very basic, static HTML Web site that you are now reading. Later, we'll add an ASP.NET Web site and a back-end SQL Server. We're starting with the basic site to test whether Microsoft's IIS 6.0 on Windows Server 2003 is secure by itself. This is to satisfy the purists who think hacking ASP.NET is hacking an application and not the server. So, if you've got skills in one area versus the other, you'll have a chance to try both attack types. The contest ends June 8th, and we will announce the results at Microsoft's Tech.Ed conference on June 9th. The Setup This server is running Windows Server 2003, Service Pack1, with all current publicly released patches and hotfixes installed (we ran Windows Update and MBSA just like you would do). We installed IIS 6.0, and then we followed Microsoft's basic recommendations (http://www.microsoft.com/technet/security/prodtech/IIS.mspx). I added a few tweaks here and there to put my personal mark on the site, but nothing extraordinary. We want this contest to test Microsoft software, and so the only third-party software we used is the host's router/firewall, which would be normal in most environments. Why a Hacking Contest? To have fun! We know there will be critics who say sponsoring a hacking contest proves nothing. If the IIS server remains unbroken, it still doesn't mean that IIS is really "secure." True, and if I weren't the contest's team leader, I'd probably be the first one to say so. Hacking contests rarely prove something is secure, although it only takes a single successful hack to prove something is not secure. So why do it? There are very few places on the Internet where hackers, good and bad, can hack legally. Windows IT Pro thought the contest would be a fun way to interact with the hacker community (they realize most hackers have good intentions) and provide a practical way for readers of Windows IT Pro to learn about security (of course, the magazine will disavow all responsibility and blame me solely if the server gets hacked) <grin>. So, welcome to the contest! Hack away. If the IIS server goes unhacked during the extended time period, it might not mean that IIS is "unhackable", but if the site does survive the contest it might convince a few people that you can implement a relatively secure Web server platform with IIS if you follow best practices and take reasonable precautions. After all, over 20 percent of the Internet relies on IIS, including some of the largest Web sites in the world. Questions and Prizes If you have questions, send an email to [EMAIL PROTECTED] If you want to claim a prize, send your email, with the details listed in the official rules to [EMAIL PROTECTED]
Happy Hacking, Roger A. Grimes Contributing editor, Windows IT Pro Magazine ========================================Hack IIS 6.0 Challenge Contest Rules A successful "hack" of the IIS server contest will be any modification of any content on the web server computer, IIS, or the database server computer or disclosure to the contest officials (at the email address cited herein) of data from the web server or database computer not published on the hackiis6.com web site. A successful hack includes: Successful web site defacement (subject to the limitations as indicated below) Modification of web server or database computers Proven knowledge of content located in "hidden" Microsoft Word document. Proven knowledge of other content found on the web server or database computer. A successful hack does not include: External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game. Attacks or modifications of any computer or device besides web server or database computers. Attacks involving external domain naming services. Publishing readily available directory or file listings without accessing or modifying files on the web server or database computer. Physical attacks. Final decision on what constitutes a successful hack rests solely with the hackiis6.com team officials. The prize for the first successful hack, if there is one, is a Microsoft Xbox console package. In order for prize to be awarded, the hacker must send an email with the details of the hack to [EMAIL PROTECTED] and include the following: Date and time of hack success Legal name of hacker and/or team Email address of contact person Description of hack sufficient to verify that it took place Description of how hack was accomplished The above must be sent to [EMAIL PROTECTED] within 12 hours of successful hack, AND prior to midnight EDT June 8, 2005. In order to qualify for winning prize, winner agrees to the following conditions: Not to reveal any mention of hack success for 24 hours to anyone but the hackiis6.com email address listed above. Not to reveal details of the hack for 30 days unless given prior approval by the hackiis6.com contest management team. Not to modify any content or deface web site in a vulgar or derogatory manner; and agrees not to promote any product, person, team, software, tool, company, etc. during any possible defacement. Any modified content cannot include content not created, owned, or licensed by hacker. Any hacks must be able to be demonstrated and readily recreated. To abide by all contest rules and decisions. Windows IT Pro reserves the right to include details of potential hack(s) as the basis for editorial coverage. Contest open to anyone at least 18 years old as of date of entry. Void where prohibited by law. Employees and agents/contractors of Windows IT Pro [Penton Media, Inc.], or Microsoft and its respective parents, affiliated and subsidiary companies, and advertising and promotional agencies, and of prize sponsors, as well as the immediate family of such employees or members of their households are not eligible to participate in this challenge. Winner is responsible for all taxes and will be required to provide proof of identity. Sponsor: Windows IT Pro, Penton Media, Inc., 221 E. 29th Street, Loveland, CO 80538. ======================================================== Sequence of Events May 2 - Challenge begins with very basic static HTML web site to focus hackers on hacking IIS code May 16 - ASP.NET web site put up to give more potential hacking angles June 8 - Contest ends June 9 - Winner (or lack of winner) announced at TechEd in Orlando. Visit the Windows IT Pro booth around noon June 9 for announcement. Watch for an upcoming issue of Windows IT Pro magazine to see Roger's recap of the contest, where he shares the secrets of creating an impenetrable IIS environment. Best Regards, ~-V-~ Official Web Site : http://www.awari.or.id Unsubscribe: [EMAIL PROTECTED] Web,archive: http://groups.yahoo.com/group/asosiasi-warnet Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/asosiasi-warnet/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
