RE: What to check if my IIS server has been compromised.

[Jim Holmgren]

James,

In addition to all the other checks people have posted, you may also want to head over to eEye http://www.eeye.com/html/ and grab their free Nimda scanner (thanks Mark, et al!) to run after you've done all your patching/repairing. 

We have a fairly large development subnet here, I run the scanner against it daily.  Some of our software developers are in too much of a rush to "bother" patching their IIS test boxes.  These boxes are all internal on our network (172 IP range), nonetheless Nimda and Code Red can run amuck from the inside as well.  When I find a box that hasn't been patched, I email the box admin and give him/her 15 minutes to patch it, after that I shut off the WWW service and turn off the port on the switch they are connected to...they usually find the time to patch things after that.

 

-Jim

 

Jim Holmgren MCSE, CCNA
[EMAIL PROTECTED]
Network Engineer
Advertising.com

Anytime, anywhere, any Internet channel-- we touch tens of millions online each day.
Advertising.com-- Superior Technology, Superior Performance.

-----Original Message-----
From: James Corlew [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 1:50 PM
To: NT System Admin Issues
Subject: What to check if my IIS server has been compromised.

Hi everyone, I am a newer member to this list and enjoy all the good information everyone shares.

 

I got an e-mail from our admin at another location looking for advice. I believe he is running IIS 4 on a NT 4 box without the current security patches. If a NAV Corporate edition scan doesn't come up with anything, what files, entries, accounts etc. should I look for after patching the server to be sure it isn't compromised? 

 

Thanks in advance for any help

 

James Corlew

 

---

Get your FREE download of MSN Explorer at http://explorer.msn.com
Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english

Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

***********************************************************
The information transmitted in this email is intended only for
the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking of
any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.
If you received this email in error, please contact the
sender and permanently delete the email from any computer. Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/