RE: CF trojen? BackdoorJY.sv
Agreed... You make valid points. However, keep in mind that most WSPs/ISPs are not paying that much attention to what is needed or not needed. So they figure they'll just do what Microsoft says.. Run it out of the box!. For those types.. This is a great tool. It does, however, keep many of us who do run Index Server, etc., in the clear. ;) Lee Fuller Chief Technical Officer PrimeDNA Corporation / AAA Web Hosting Corporation We ARE the net. http://www.aaawebhosting.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 18, 2001 11:13 PM To: CF-Talk Subject: RE: CF trojen? BackdoorJY.sv Everyone running IIS should look at this: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This has kept us pretty much out of the eye of trouble for quite some time. Hackers managed to get in almost daily, prior to us recreating our systems, adding W2K SP2, and then running this each hour, to make sure we were up-to-date. Great free tool. While HFCheck is a nice tool, there are two points worth mentioning. 1. It only works with IIS 5 (on Win2K). 2. Most of the IIS hotfixes patch functionality that isn't even used by the vast majority of IIS sites: things like Index Server, IIS-based password changing, IIS-based printing, and so forth. Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CF trojen? BackdoorJY.sv
Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
actually, microsoft has a good article on hardening IIS5. don't have the link right now, but go to microsoft.com and search for securing IIS5. chris olive, cio cresco technologies [EMAIL PROTECTED] http://www.crescotech.com -Original Message- From: Surma [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 9:31 AM To: CF-Talk Subject: Re: CF trojen? BackdoorJY.sv Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asp Eric Dawson Alive New Media Looking for free beer easy contracts and sleep Work hard, play harder! You could try another approach. My token Dave Watts quote (just trying to fit in. :) From: Christopher Olive, CIO [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: RE: CF trojen? BackdoorJY.sv Date: Thu, 19 Jul 2001 09:18:55 -0400 actually, microsoft has a good article on hardening IIS5. don't have the link right now, but go to microsoft.com and search for securing IIS5. chris olive, cio cresco technologies [EMAIL PROTECTED] http://www.crescotech.com -Original Message- From: Surma [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 9:31 AM To: CF-Talk Subject: Re: CF trojen? BackdoorJY.sv Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Lee Surma [EMAIL PROTECTED] ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
You may also want to look into a piece of software called tripwire (http://www.tripwire.com). It will create a checksum for all the files on your system and do a variety of things if something changes. I have not implemented it yet (NT4 environment) but have an associate (Linux) that swears by it (not because of it). It may not stop a hack, but it should allow you to catch it before too much damage can be done. Justin -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 2:13 AM To: CF-Talk Subject: RE: CF trojen? BackdoorJY.sv Everyone running IIS should look at this: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This has kept us pretty much out of the eye of trouble for quite some time. Hackers managed to get in almost daily, prior to us recreating our systems, adding W2K SP2, and then running this each hour, to make sure we were up-to-date. Great free tool. While HFCheck is a nice tool, there are two points worth mentioning. 1. It only works with IIS 5 (on Win2K). 2. Most of the IIS hotfixes patch functionality that isn't even used by the vast majority of IIS sites: things like Index Server, IIS-based password changing, IIS-based printing, and so forth. Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
Can you throw us bone, and point us to some information on how to strip down a CF, IIS Server? Yes. Read the IIS installation checklists on the MS security site (http://www.microsoft.com/security/) and on securityfocus.com (http://www.securityfocus.com/). Read about how to use ACLs at http://www.trustedsystems.com/. Finally, there's a very good O'Reilly book on securing NT/2K servers called, appropriately enough, Securing Windows NT/2000 Servers for the Internet. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
My virus checker (mcafee) just revealed 4 viruses on my server: C:\server.dll c:\server.exe c:\cfusion\bin\server.dll c:\cfusion\bin\server.exe it said they all were infected with BackdoorJY.dll or BackdoorJY.svr trojens. This is a Windows 2000 advanced server with CF4.5.1SP2. I recently added SP2 and this is the first check since then. I don't know if it is related? I do not have another cf4.5 server that I can take these files from to replace the infected ones... (My test server was just upgraded to the evaluation version of cf5). Can these be deleted? McAffe doesn't have info on this trojen yet.. is it specific to CF? Any ideas any how to fix it? I'll bet those files have been put on your server maliciously, not just infected while on your server. There are no files named server.dll or server.exe that come with CF, or with Win2K. So, you probably have some open vulnerability that allows people to get files onto your server - just deleting the files won't fix that vulnerability. If your server has been compromised, and you want to guarantee that you've fixed the problem, you only have one real alternative. You're not going to like it, either. In my opinion, the only way to secure the server at this point, since you don't know what's been put where on it, is to format the drives and reinstall the OS and applications from scratch. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
Everyone running IIS should look at this: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This has kept us pretty much out of the eye of trouble for quite some time. Hackers managed to get in almost daily, prior to us recreating our systems, adding W2K SP2, and then running this each hour, to make sure we were up-to-date. Great free tool. HTH Lee Fuller Chief Technical Officer PrimeDNA Corporation / AAA Web Hosting Corporation We ARE the net. http://www.aaawebhosting.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 18, 2001 9:25 PM To: CF-Talk Subject: RE: CF trojen? BackdoorJY.sv My virus checker (mcafee) just revealed 4 viruses on my server: C:\server.dll c:\server.exe c:\cfusion\bin\server.dll c:\cfusion\bin\server.exe it said they all were infected with BackdoorJY.dll or BackdoorJY.svr trojens. This is a Windows 2000 advanced server with CF4.5.1SP2. I recently added SP2 and this is the first check since then. I don't know if it is related? I do not have another cf4.5 server that I can take these files from to replace the infected ones... (My test server was just upgraded to the evaluation version of cf5). Can these be deleted? McAffe doesn't have info on this trojen yet.. is it specific to CF? Any ideas any how to fix it? I'll bet those files have been put on your server maliciously, not just infected while on your server. There are no files named server.dll or server.exe that come with CF, or with Win2K. So, you probably have some open vulnerability that allows people to get files onto your server - just deleting the files won't fix that vulnerability. If your server has been compromised, and you want to guarantee that you've fixed the problem, you only have one real alternative. You're not going to like it, either. In my opinion, the only way to secure the server at this point, since you don't know what's been put where on it, is to format the drives and reinstall the OS and applications from scratch. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF trojen? BackdoorJY.sv
Everyone running IIS should look at this: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This has kept us pretty much out of the eye of trouble for quite some time. Hackers managed to get in almost daily, prior to us recreating our systems, adding W2K SP2, and then running this each hour, to make sure we were up-to-date. Great free tool. While HFCheck is a nice tool, there are two points worth mentioning. 1. It only works with IIS 5 (on Win2K). 2. Most of the IIS hotfixes patch functionality that isn't even used by the vast majority of IIS sites: things like Index Server, IIS-based password changing, IIS-based printing, and so forth. Rather than relying on Microsoft patches, you'll get better mileage out of properly configuring your servers up front. Here's a little secret of mine. I don't bother installing most of the IIS patches when they come out. I don't have to, because they patch things that I've already disabled or removed. I can wait until everyone else has regression-tested the patch on their production web servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
