> Well, to those who are interested, I've combed through the log > files. Found my attacker and even the commands he executed to > put up those pages. (PoisonBOx..blah..blah...blah) <---not that > I've caught the creep. That won't happen! :) > > The client is still installing patches, and we're tightening > every bolt on the machine. I've also been advised to delete the > default website IIS automatically sets up as well as disable all > Front Page extensions, should they be running. (Front Page! EWW!). You're not going to like what I have to say, I don't think. If your server has been compromised, you can't fix it by simply taking it offline and installing patches. Anything on the server could very well have been compromised. Ideally, you should wipe the disks, reinstall the OS and everything else, and restore your application files from a trusted backup. Otherwise, you can't be sure that other back doors haven't been set up on the box. During the reinstall process, you might want to take a look at the following resources, in addition to everything else that's been suggested: "Securing Windows NT/2000 Servers for the Internet", Stefan Norberg, O'Reilly This is a very good explanation of securing IIS web servers, and contains good step-by-step instructions. "Hardening Windows 2000 Guide", available as a PDF download: http://www.systemexperts.com/win2k/HardenWin2K.html "Windows NT Security Guidelines", written by Trusted Systems for NSA, available as a download: http://www.trustedsystems.com/tss_nsa_guide.htm This doesn't have too much to do with web services specifically, but provides a clear description of basic use of ACLs, which is essential for securing your web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
