At 10:32 AM 5/7/01 -0400, Kevin O'Gilvie wrote:
>Apparently over the weekend Poison Box got pass my Pix and overwrote some
>files on the intranet Box and maybe more damage than I know of at this
>Moment. I need help on finding out hjw they got in and how to prevent it
>happeneing in the future. Please help.
>
>Thanks,
>
>Kevin
Got past it? I doubt it, but I might be wrong here. Poison box.. hm. this
sounds a lot like an IIS box got hacked into. A Pix box will not save you
if your applications running beyond layer 3 (with a few exceptions if their
fixup protocol catches it), are being silly.
I.e. Unless your pix is an implicit deny on all incoming connections, they
did not get past it; it let them through.
If you pix allows incoming web connections, it did it's job fine. This is
where security moves at another level and you have to secure your
webserver, meaning, latest patches, audits on the asp code to make sure it
does not do anything silly.
OR, if the pix is an implicit deny, it is probably allowing all outgoing
connections, so someone might have trojanned into a client's box behind the
pix, and opened a door to attack.
Give us a bit more information, a lot of different things could have
happened.
My best guess, you were running IIS 5.0 or IIS 4.0 and it got hacked into
because it was not patched to resist or you have a rogue ASP page on there
that was exploitable. (accidentally).
Also, this is why anything the PIX lets through is usually placed in a
DMZ. That way, if the attacker succeeds, he cannot enter the internal
network. Or course, if the web server can access the internal network
unimpeded, in theory and the worst case scenario, all of your internal
machines could be hacked into at this point. I hope you have good security
internally. Or have some IDS/NDS going because otherwise, you have no idea
what he did. However, in the best case scenario, you got hacked by a
little script kiddie who hardly knows anything about true network
penetration, so odds are they did not move beyond your IIS
webserver. Also, most exploits do not give you full command prompt
shells. Find out which one you are vulnerable to, and hope it isn't a full
shell of sorts.
Common mistakes people make with security
-Firewall will protect us all.
-Sure let's use telnet internally, who needs internal security, we got the
big bad firewall to help us.
-What? You mean the DMZ shouldn't be allowed to reach the internal! How
inconvenient!
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3462&t=3452
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]