RE: CF trojen? BackdoorJY.sv
> Can you throw us bone, and point us to some information on how to > strip down a CF, IIS Server? Yes. Read the IIS installation checklists on the MS security site (http://www.microsoft.com/security/) and on securityfocus.com (http://www.securityfocus.com/). Read about how to use ACLs at http://www.trustedsystems.com/. Finally, there's a very good O'Reilly book on securing NT/2K servers called, appropriately enough, "Securing Windows NT/2000 Servers for the Internet". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
You may also want to look into a piece of software called tripwire (http://www.tripwire.com). It will create a checksum for all the files on your system and do a variety of things if something changes. I have not implemented it yet (NT4 environment) but have an associate (Linux) that swears by it (not because of it). It may not stop a hack, but it should allow you to catch it before too much damage can be done. Justin -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 2:13 AM To: CF-Talk Subject: RE: CF trojen? BackdoorJY.sv > Everyone running IIS should look at this: > > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 > > This has kept us pretty much out of the eye of trouble for quite some > time. Hackers managed to get in almost daily, prior to us recreating > our systems, adding W2K SP2, and then running this each hour, to make > sure we were up-to-date. Great free tool. While HFCheck is a nice tool, there are two points worth mentioning. 1. It only works with IIS 5 (on Win2K). 2. Most of the IIS hotfixes patch functionality that isn't even used by the vast majority of IIS sites: things like Index Server, IIS-based password changing, IIS-based printing, and so forth. Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Removing IIS ISAPI extensions Was [CF trojen? BackdoorJY.sv]
>Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? With Win2k and NT4.0 the steps are mostly the same. I will use Win2k as an example. For the hole server: -In the IIS admin console get properties for the server. -In Master Properties "box" select Master Properties for "WWW Service", click edit. -Find the home directory tab, click on it -Find the Configuration button, click on it. -Under application mappings I remove all but .cfm. Note: only remove the ones you are not using. If you are using the Indexing service apply all of the indexing services patches. Note: When you install services packs or if you add a component to windows with the windows setup program these mapping will most likely sneak back in. So, get in the habit of checking these mapping each time you install software in the box. Hope this helps Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Surma [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 8:31 AM To: CF-Talk Subject: Re: CF trojen? BackdoorJY.sv >Rather than relying on Microsoft > patches, you'll get better mileage out of properly configuring your servers > up front. Here's a little secret of mine. I don't bother installing most of > the IIS patches when they come out. I don't have to, because they patch > things that I've already disabled or removed. I can wait until everyone else > has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asp Eric Dawson Alive New Media Looking for free beer easy contracts and sleep Work hard, play harder! "You could try another approach." My token Dave Watts quote (just trying to fit in. :) From: "Christopher Olive, CIO" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: CF-Talk <[EMAIL PROTECTED]> Subject: RE: CF trojen? BackdoorJY.sv Date: Thu, 19 Jul 2001 09:18:55 -0400 actually, microsoft has a good article on hardening IIS5. don't have the link right now, but go to microsoft.com and search for "securing IIS5". chris olive, cio cresco technologies [EMAIL PROTECTED] http://www.crescotech.com -Original Message- From: Surma [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 9:31 AM To: CF-Talk Subject: Re: CF trojen? BackdoorJY.sv >Rather than relying on Microsoft > patches, you'll get better mileage out of properly configuring your servers > up front. Here's a little secret of mine. I don't bother installing most of > the IIS patches when they come out. I don't have to, because they patch > things that I've already disabled or removed. I can wait until everyone else > has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
actually, microsoft has a good article on hardening IIS5. don't have the link right now, but go to microsoft.com and search for "securing IIS5". chris olive, cio cresco technologies [EMAIL PROTECTED] http://www.crescotech.com -Original Message- From: Surma [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 9:31 AM To: CF-Talk Subject: Re: CF trojen? BackdoorJY.sv >Rather than relying on Microsoft > patches, you'll get better mileage out of properly configuring your servers > up front. Here's a little secret of mine. I don't bother installing most of > the IIS patches when they come out. I don't have to, because they patch > things that I've already disabled or removed. I can wait until everyone else > has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CF trojen? BackdoorJY.sv
>Rather than relying on Microsoft > patches, you'll get better mileage out of properly configuring your servers > up front. Here's a little secret of mine. I don't bother installing most of > the IIS patches when they come out. I don't have to, because they patch > things that I've already disabled or removed. I can wait until everyone else > has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
Agreed... You make valid points. However, keep in mind that most WSPs/ISPs are not paying that much attention to what is needed or not needed. So they figure they'll just "do what Microsoft says.. Run it out of the box!". For those types.. This is a great tool. It does, however, keep many of us who do run Index Server, etc., in the clear. ;) Lee Fuller Chief Technical Officer PrimeDNA Corporation / AAA Web Hosting Corporation "We ARE the net." http://www.aaawebhosting.com > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 18, 2001 11:13 PM > To: CF-Talk > Subject: RE: CF trojen? BackdoorJY.sv > > > > Everyone running IIS should look at this: > > > > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 > > > > This has kept us pretty much out of the eye of trouble for > quite some > > time. Hackers managed to get in almost daily, prior to us > recreating > > our systems, adding W2K SP2, and then running this each > hour, to make > > sure we were up-to-date. Great free tool. > > While HFCheck is a nice tool, there are two points worth mentioning. > > 1. It only works with IIS 5 (on Win2K). > > 2. Most of the IIS hotfixes patch functionality that isn't > even used by the vast majority of IIS sites: things like > Index Server, IIS-based password changing, IIS-based > printing, and so forth. Rather than relying on Microsoft > patches, you'll get better mileage out of properly > configuring your servers up front. Here's a little secret of > mine. I don't bother installing most of the IIS patches when > they come out. I don't have to, because they patch things > that I've already disabled or removed. I can wait until > everyone else has regression-tested the patch on their > production web servers. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
> Everyone running IIS should look at this: > > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 > > This has kept us pretty much out of the eye of trouble for quite some > time. Hackers managed to get in almost daily, prior to us recreating > our systems, adding W2K SP2, and then running this each hour, to make > sure we were up-to-date. Great free tool. While HFCheck is a nice tool, there are two points worth mentioning. 1. It only works with IIS 5 (on Win2K). 2. Most of the IIS hotfixes patch functionality that isn't even used by the vast majority of IIS sites: things like Index Server, IIS-based password changing, IIS-based printing, and so forth. Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
Everyone running IIS should look at this: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This has kept us pretty much out of the eye of trouble for quite some time. Hackers managed to get in almost daily, prior to us recreating our systems, adding W2K SP2, and then running this each hour, to make sure we were up-to-date. Great free tool. HTH Lee Fuller Chief Technical Officer PrimeDNA Corporation / AAA Web Hosting Corporation "We ARE the net." http://www.aaawebhosting.com > -Original Message- > From: Dave Watts [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, July 18, 2001 9:25 PM > To: CF-Talk > Subject: RE: CF trojen? BackdoorJY.sv > > > > My virus checker (mcafee) just revealed 4 viruses on my server: > > > > C:\server.dll > > c:\server.exe > > c:\cfusion\bin\server.dll > > c:\cfusion\bin\server.exe > > > > it said they all were infected with BackdoorJY.dll or BackdoorJY.svr > > trojens. > > > > This is a Windows 2000 advanced server with CF4.5.1SP2. > > I recently added SP2 and this is the first check since then. I don't > > know if it is related? > > > > I do not have another cf4.5 server that I can take these files from > > to replace the infected ones... (My test server was just > upgraded to > > the evaluation version of cf5). Can these be deleted? > McAffe doesn't > > have info on this trojen yet.. is it specific to CF? Any ideas any > > how to fix it? > > I'll bet those files have been put on your server > maliciously, not just infected while on your server. There > are no files named server.dll or server.exe that come with > CF, or with Win2K. So, you probably have some open > vulnerability that allows people to get files onto your > server - just deleting the files won't fix that vulnerability. > > If your server has been compromised, and you want to > guarantee that you've fixed the problem, you only have one > real alternative. You're not going to like it, either. In my > opinion, the only way to secure the server at this point, > since you don't know what's been put where on it, is to > format the drives and reinstall the OS and applications from scratch. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
> My virus checker (mcafee) just revealed 4 viruses on my server: > > C:\server.dll > c:\server.exe > c:\cfusion\bin\server.dll > c:\cfusion\bin\server.exe > > it said they all were infected with BackdoorJY.dll or BackdoorJY.svr > trojens. > > This is a Windows 2000 advanced server with CF4.5.1SP2. > I recently added SP2 and this is the first check since then. I don't > know if it is related? > > I do not have another cf4.5 server that I can take these files from > to replace the infected ones... (My test server was just upgraded to > the evaluation version of cf5). Can these be deleted? McAffe doesn't > have info on this trojen yet.. is it specific to CF? Any ideas any > how to fix it? I'll bet those files have been put on your server maliciously, not just infected while on your server. There are no files named server.dll or server.exe that come with CF, or with Win2K. So, you probably have some open vulnerability that allows people to get files onto your server - just deleting the files won't fix that vulnerability. If your server has been compromised, and you want to guarantee that you've fixed the problem, you only have one real alternative. You're not going to like it, either. In my opinion, the only way to secure the server at this point, since you don't know what's been put where on it, is to format the drives and reinstall the OS and applications from scratch. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
CF trojen? BackdoorJY.sv
My virus checker (mcafee) just revealed 4 viruses on my server: C:\server.dll c:\server.exe c:\cfusion\bin\server.dll c:\cfusion\bin\server.exe it said they all were infected with BackdoorJY.dll or BackdoorJY.svr trojens. This is a Windows 2000 advanced server with CF4.5.1SP2. I recently added SP2 and this is the first check since then. I don't know if it is related? I do not have another cf4.5 server that I can take these files from to replace the infected ones... (My test server was just upgraded to the evaluation version of cf5). Can these be deleted? McAffe doesn't have info on this trojen yet.. is it specific to CF? Any ideas any how to fix it? Al ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists