Speaking of security and how to go about fixing here, here is some excellent advice from people on the lists.....a compilation from my posts last week. ---------------------------------------------------------------------- You're not going to like what I have to say, I don't think. If your server has been compromised, you can't fix it by simply taking it offline and installing patches. Anything on the server could very well have been compromised. Ideally, you should wipe the disks, reinstall the OS and everything else, and restore your application files from a trusted backup. Otherwise, you can't be sure that other back doors haven't been set up on the box. During the reinstall process, you might want to take a look at the following resources, in addition to everything else that's been suggested: "Securing Windows NT/2000 Servers for the Internet", Stefan Norberg, O'Reilly. This is a very good explanation of securing IIS web servers, and contains good step-by-step instructions. "Hardening Windows 2000 Guide", available as a PDF download: http://www.systemexperts.com/win2k/HardenWin2K.html "Windows NT Security Guidelines", written by Trusted Systems for NSA, available as a download: http://www.trustedsystems.com/tss_nsa_guide.htm This doesn't have too much to do with web services specifically, but provides a clear description of basic use of ACLs, which is essential for securing your web server. Dave Watts [[EMAIL PROTECTED]] ----------------------------------------------------- I do a security scan of my system every now and again using whisker from RFP (http://www.wiretrip.net/rfp/2/index.asp). I suggest everyone either do the same or ask someone you trust to do it for you. It takes little time to do and the rewards could be massive (especially with the supposed cyberwar coming). Also, run a few searches over your code for things like CFFILE, CFINCLUDE and other tags that can be used as attack points. A few hours of code review could save days in code rebuild. As for how he got in, check all the logs on the box. Look for file gaps to see if he hacked them to cover his trail. If there are none, then look for things out of thr ordinary like .dll, .htx or other calls. Between the system logs, web logs, CF logs and whatever you may find his attack route. Finally, check out securityfocus.com and the other security sites. They may know. Michael Dinowitz [[EMAIL PROTECTED]] ----------------------------------------------------- ALL of my client sites were hacked and defaced last week - (by Evil Angelica) - and the only common thread among them was my WS-FTP.INI file. I would suggest taking a look here to find the common thread, which might give you a clue: http://defaced.alldas.de/defaced.php?attacker=PoizonB0x&p=1 Diana Nichols [[EMAIL PROTECTED]] ----------------------------------------------------- PoisonBox is a rather infamous group of hackers...if they want in, they can get in. I believe they where the group that bragged of hacking 200+ Chinese websites recently, and got mentioned in Wired... Take a look at the time the files were altered, look in your log files around those times. See if you can find out what urls where requested, or see of any other abnormal activity was going on. Make sure all of the below holes are patched or taken care of too. http://www.wittys.com/files/mab/iis-hacking.html Jon Hall [[EMAIL PROTECTED]] ----------------------------------------------------- Websites in America and China are the trophies. It's not a 'real war', but you've got hackers and crackers from both sides hitting the other for protest points. As for you ISP, they may say that the security is your problem or they may not. Best thing to do is make sure your patches are up to date, follow the proper coding standards so as to not open any holes and keep an eye on some security lists or sites. Michael Dinowitz [[EMAIL PROTECTED]] ----------------------------------------------------- *This message was transferred with a trial version of CommuniGate(tm) Pro* Hacking Exposed is a great book to learn about network and computer security. It covers the basics of hacking and how to protect yourself. It even has a section on website hacking and uses Cold Fusion as an example. I would recommend it to anyone interested in securing their server/network. http://www.amazon.com/exec/obidos/ASIN/0072127481/o/qid=988661199/sr=8-1/ref =aps_sr_b_1_1/107-8938936-0034118 Also have a couple of script-kiddie tools I would be happy to run on your site to check the basics. Send me an email off the list if you are interested. Dave Livingston [[EMAIL PROTECTED]] ----------------------------------------------------- As far as IIS4/5 is concerned, a version not completely up to date (read: get mail notification of new exploits/patches) is a security hole waiting to happen, especially if the old pre-asp htr extensions are enabled. Heh, it's actually still a security hole waiting to happen even patched but that's just IIS. I'm not overly familiar w/ anything win32 so you might want to check these sites. http://www.attrition.org/ http://www.securityfocus.com/ http://www.microsoft.com/technet/security/current.asp http://www.ntbugtraq.com/ Raymond B. [[EMAIL PROTECTED]] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists