John, There are thirty pages of sites, and the list is of course not exclusive to you. Your server was hacked, and now everything on it needs to be reviewed. This isn't going to be a case of patching a single piece of software and assuming that everything is secure. The hole that was exploited was only the initial point of entry, and these guys typically break down security in steps to eventually gain administrative access. I once ran L0pht Crack on my password hash and it found about 2/3 of the passwords on my server within a matter of a few minutes. It would have found 95% within a day, and everything within a week to a month using a 1.7 Ghz computer. Alphanumeric toggled case passwords are not enough. Since your server was exploited, I would consider every password on your server to be insecure, so even if you patched every last thing and took out all of the offending code, they might be able to just simply log in through the front door. I'm guessing that the defacement is repopulating itself by way of a startup script, probably located in your registry or autoexec.bat, but it could be elsewhere as well. Again, that's likely only the tip of the iceberg, so patch everything and employ better security. Matt john cesta wrote: Yea, Matt those are our sites at zone-h.org They don't have any info on the hack just who has it.Thanks John On Tue, 04 Jan 2005 14:51:59 -0500, Matt wrote:http://www.zone-h.org/en/defacements/filter/filter_defacer=tugr@/ Clean your computer carefully and close the holes (patch everything and change all passwords). You should consider using Microsoft's URLScan to prevent many IIS exploits, move all Internet accessible data off of the C partition, and block access to nonessential ports with a router. That combined with regular patching will prevent guys like this from hacking your site since they will find easier prey elsewhere and all they are looking for is an opportunity for defacement and not necessarily to deface you. Matt john cesta wrote:Has anyone heard of this one? What they do is to copy: index.php .cfm .htm .html .asp default.php .cfm .htm .html .asp to the root folder of every web site. I can't find much on it on the web. I thought I had figured it to be an old servu ftp server hack so I upgraded about 3 weeks ago but today upon reboot it happened again. I have a fully patched win2k server Thanks To Unsubscribe: http://www.ipswitch.com/support/mailing- lists.html List Archive: http://www.mail- archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
- RE: [IMail Forum] hacked by tugr@ Matt
- RE: [IMail Forum] hacked by tugr@ Stanley Lyzak