> Has anyone seen this or had this occur - Basically they replace the default > docs in the wwwroot (index.htm, html, asp, default.htm, html, asp, etc.) > with a file with only html and css in it that shows a picture of Homer > Simpson and the massage Hacked By Fatal Error and something along the lines > of "hey admin take care of server". We saw it on one internal dev server > and I am just trying to figure out what is exploited to be able to drop the > files on. The only things open are ports 80 and 21 (ftp logs show no > activity in over a week), the files in question were created yesterday. I > really just want to know that the server itself isn't compromised and this > was just a defacing and also prevent it from occurring again. The server is > fully patched win2k and we also shut off ftp this morning since usage of it > is pretty non-existant anymore since all dev is on-site.
While this is "just a defacing", you have no guarantee that the server isn't compromised - essentially, that's what a defacing requires. Was the server fully patched prior to this morning? My offhand guess is that it's an IIS exploit, and after all IIS 5 is pretty old; there were plenty of IIS 5 exploits back in the day. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more informat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322833 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4