He got in by using the unicode exploit. You have one of the following
situations:
1. wwwroot on the same drive as the OS.
2. msadc and/or scripts virtual directorys
Check the %systemroot%/Program Files/Common Files/System/msadc/ for a file
called "root.exe". This file is a copy of your "cmd.exe" I would apply the
patches that are relevent to your box to fix the unicode exploit. I would
also do the following:
1. Create a local group on the IIS box.
2. Put only people that will administer the box in that local group.
3. Move the following files to another directory: arp.exe, at.exe,
atsvc.exe, cacls.exe, cmd.exe, command.com, cscript.exe, debug.exe,
edit.com, edlin.exe, finger.exe, ftp.exe, ipconfig.exe, nbstat.exe, net.exe,
netstat.exe, nslookup.exe, ping.exe, qbasic.exe, rpc.exe, rdisk.exe,
regedit.exe, regedit32.exe, rexec.exe, route.exe, rsh.exe, runonce.exe,
secfixup.exe, syskey.exe, telnet.exe, ftfp.exe, tracert.exe, wscript.exe,
xcopy.exe, copy.exe
4. Put the newly created directory in the path.
5. Change the NTFS permission so only the local group that you just created
has permissions to it.
6. Deny all others access to it.
7. Run some form of IDS (Intrusion Detection System). If you don't have a
lot of money you can run Snort. It is free. It is a great IDS.
Neil
""John Brandis"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I was hacked by , Sysadmcn
> He got in and changed the web site to F----- USA Govt.....
> Does any one know what other changes to NT2000, besides renaming of the
> default web page, to one that he added. Also, does any one know how he got
> in ?????
>
>
> ----- Original Message -----
> From: "Kevin O'Gilvie"
> To:
> Sent: Tuesday, May 08, 2001 12:32 AM
> Subject: Just been Hacked!!!!! [7:3452]
>
>
> > Apparently over the weekend Poison Box got pass my Pix and overwrote
some
> > files on the intranet Box and maybe more damage than I know of at this
> > Moment. I need help on finding out hjw they got in and how to prevent it
> > happeneing in the future. Please help.
> >
> > Thanks,
> >
> > Kevin
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3517&t=3452
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
