Hacked Site

Pat · Jan 25, 2004

our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

thanks

Robert Moir · Jan 25, 2004

Pat said:
our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

No real answer to this without knowing what the logs say. The problem with
any web server on the internet is that you have to be "lucky" hundreds of
times when it comes to patching/configuring your system to block every
possible exploit, and the other side only have to be lucky once.

Until you know more about what happened, I'd suggest keeping the server
offline and off your internal network as well, if applicable.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

Pat · Jan 25, 2004

if someone is able to place files on my server, would they showup with
a PUT command in the log file?

Robert Moir · Jan 25, 2004

Pat said:
if someone is able to place files on my server, would they showup with
a PUT command in the log file?

Possibly, if thats how they were placed there. But there are many other ways
to do it.

Pat · Jan 25, 2004

I've found for put records with each file placed there. do you know
what Propfind and mainframe.css do?

Karl Levinson [x y] mvp · Jan 26, 2004

http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#firewall

Generally hacking IIS happens because you were missing patches, had poor
default configurations in place, and/or were missing a firewall. If the
hacking happened through IIS, installing the free URLScan from
www.microsoft.com/technet/security probably would have prevented it. Also
check out the Windows and IIS hardening checklists at that same URL. If the
hacking was done through an IIS buffer overflow or was not done through IIS
at all, or the attacker was able to delete your log files, you would not see
anything in the IIS logs. You may want to check your firewall logs [you do
have a firewall, right? there are even free ones out there] and consider a
file change checker like the free SIM from www.gfi.com

ssshades2 · Jan 26, 2004

I've found for put records with each file placed there. do you know
what Propfind and mainframe.css do?

mainframe.css appears to be a content style-sheet

Propfind is apparently a WebDav method...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/
_webdav_propfind.asp

"
The WebDAV PROPFIND Method retrieves properties for a resource identified by
the request Uniform Resource Identifier (URI). The PROPFIND Method can be used
on collection and property resources.
"

I believe there were also some recent patches for WebDav via Windows Update...

--
..:~*^*~:.:~*^*:..:~*^*~:.:~*^*~:.:~*^*~:.

"We're in the pipe... 5 by 5..."

shades2 (Perth, WA)
http://www.iinet.net.au/~shades2

PGP Public Keys:
http://members.iinet.net.au/~shades2/pgpkey.html

Making life hard for Spammers with:

(e-mail address removed), (e-mail address removed), (e-mail address removed), (e-mail address removed),
(e-mail address removed), (e-mail address removed), (e-mail address removed), (e-mail address removed),
(e-mail address removed)

Pat · Jan 26, 2004

Thanks for the responses and links everybody

Pat said:
http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#firewall

Generally hacking IIS happens because you were missing patches, had poor
default configurations in place, and/or were missing a firewall. If the
hacking happened through IIS, installing the free URLScan from
www.microsoft.com/technet/security probably would have prevented it. Also
check out the Windows and IIS hardening checklists at that same URL. If the
hacking was done through an IIS buffer overflow or was not done through IIS
at all, or the attacker was able to delete your log files, you would not see
anything in the IIS logs. You may want to check your firewall logs [you do
have a firewall, right? there are even free ones out there] and consider a
file change checker like the free SIM from www.gfi.com

Pat said:

our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

thanks

Click to expand...

Pat · Jan 26, 2004

I have SP4 on the W2K box with all the latest patches, running
sonicwall pro with server out on the dmz. I tried the links but they
are not woking.

Pat said:
http://securityadmin.info/faq.asp#iislogs2
http://securityadmin.info/faq.asp#iislogs
http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#firewall

Generally hacking IIS happens because you were missing patches, had poor
default configurations in place, and/or were missing a firewall. If the
hacking happened through IIS, installing the free URLScan from
www.microsoft.com/technet/security probably would have prevented it. Also
check out the Windows and IIS hardening checklists at that same URL. If the
hacking was done through an IIS buffer overflow or was not done through IIS
at all, or the attacker was able to delete your log files, you would not see
anything in the IIS logs. You may want to check your firewall logs [you do
have a firewall, right? there are even free ones out there] and consider a
file change checker like the free SIM from www.gfi.com

Pat said:

our site was hacked over the weekend. they dropped in a default.htm
page. I'm running IIS 5 on W2k with SP4 and the latesest updates. I am
behind a sonicwall pro with the server out on the DMZ. I have the
times the file were placed on the server and am starting to look thru
the log files for info. how can a hacker do this? thru ASP or
something I'm overlooking. what can I look at to see what happened and
what I can do to harding my server?

thanks

Click to expand...

Kyle Cui [MSFT] · Jan 26, 2004

Hi Pat,

Thanks for posting here! I am sorry to hear the difficutlies you
encountered.

As Robert mentioned before, there may various methods for hackers to attack
an unsecure web site. So it may be not easy for us to tell how they put the
file in your web site.

The Propfind command is an webdav method which retrieves properties for a
resource identified by the request Uniform Resource Identifier (URI). In
this case, it seems that you enabled WebDAV Publishing on your web site. As
Basic authentication is used by WebDAV by default and the username and
password are transferred in plain text during basic authentication, I am
afraid that this may be the cause that this issue ocurred.

I would like to confirm whether WebDAV is necessary for your web site. If
not, you may refer to the following KB article to disable it in IIS:
241520 How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/?id=241520

If you need WebDAV publishing, it is suggested that you use SSL with basic
authentication for WebDAV publishing. To do so, please refer to the
following KB article:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, you may want to use IIS Lockdown and URLScan tools to configure
Web servers in secure. For your convenience, I included the following
WebCast which provide an overview for administrators about how to use these
tools.
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

If you have any further concerns, please post into the following group for
more info:
microsoft.public.inetserver.iis.security

I hope this info helps!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Sun, 25 Jan 2004 18:52:48 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20432
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I've found for put records with each file placed there. do you know
| what Propfind and mainframe.css do?
|
| On Sun, 25 Jan 2004 22:46:48 -0000, "Robert Moir" <[email protected]>
| wrote:
|
| >Pat wrote:
| >> if someone is able to place files on my server, would they showup with
| >> a PUT command in the log file?
| >
| >Possibly, if thats how they were placed there. But there are many other
ways
| >to do it.
| >
|
|

Robert Moir · Jan 26, 2004

Pat said:
I've found for put records with each file placed there. do you know
what Propfind and mainframe.css do?

You've got good answers about these file names specifically since you posted
that so I won't repeat them, but keep in mind that someone could give a file
any name, you can't judge a book by its cover with this stuff. Also, they
may have tidied up and removed most of the obvious signs of what they did
after they had finished altering your homepage.

Pat · Jan 27, 2004

Kyle,
thank you for the information

Hi Pat,

Thanks for posting here! I am sorry to hear the difficutlies you
encountered.

As Robert mentioned before, there may various methods for hackers to attack
an unsecure web site. So it may be not easy for us to tell how they put the
file in your web site.

The Propfind command is an webdav method which retrieves properties for a
resource identified by the request Uniform Resource Identifier (URI). In
this case, it seems that you enabled WebDAV Publishing on your web site. As
Basic authentication is used by WebDAV by default and the username and
password are transferred in plain text during basic authentication, I am
afraid that this may be the cause that this issue ocurred.

I would like to confirm whether WebDAV is necessary for your web site. If
not, you may refer to the following KB article to disable it in IIS:
241520 How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/?id=241520

If you need WebDAV publishing, it is suggested that you use SSL with basic
authentication for WebDAV publishing. To do so, please refer to the
following KB article:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, you may want to use IIS Lockdown and URLScan tools to configure
Web servers in secure. For your convenience, I included the following
WebCast which provide an overview for administrators about how to use these
tools.
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

If you have any further concerns, please post into the following group for
more info:
microsoft.public.inetserver.iis.security

I hope this info helps!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Sun, 25 Jan 2004 18:52:48 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20432
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I've found for put records with each file placed there. do you know
| what Propfind and mainframe.css do?
|
| On Sun, 25 Jan 2004 22:46:48 -0000, "Robert Moir" <[email protected]>
| wrote:
|
| >Pat wrote:
| >> if someone is able to place files on my server, would they showup with
| >> a PUT command in the log file?
| >
| >Possibly, if thats how they were placed there. But there are many other
ways
| >to do it.
| >
|
|

Pat · Jan 27, 2004

Kyle,
how is webdav enabled?

Hi Pat,

Thanks for posting here! I am sorry to hear the difficutlies you
encountered.

As Robert mentioned before, there may various methods for hackers to attack
an unsecure web site. So it may be not easy for us to tell how they put the
file in your web site.

The Propfind command is an webdav method which retrieves properties for a
resource identified by the request Uniform Resource Identifier (URI). In
this case, it seems that you enabled WebDAV Publishing on your web site. As
Basic authentication is used by WebDAV by default and the username and
password are transferred in plain text during basic authentication, I am
afraid that this may be the cause that this issue ocurred.

I would like to confirm whether WebDAV is necessary for your web site. If
not, you may refer to the following KB article to disable it in IIS:
241520 How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/?id=241520

If you need WebDAV publishing, it is suggested that you use SSL with basic
authentication for WebDAV publishing. To do so, please refer to the
following KB article:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, you may want to use IIS Lockdown and URLScan tools to configure
Web servers in secure. For your convenience, I included the following
WebCast which provide an overview for administrators about how to use these
tools.
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

If you have any further concerns, please post into the following group for
more info:
microsoft.public.inetserver.iis.security

I hope this info helps!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Sun, 25 Jan 2004 18:52:48 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20432
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I've found for put records with each file placed there. do you know
| what Propfind and mainframe.css do?
|
| On Sun, 25 Jan 2004 22:46:48 -0000, "Robert Moir" <[email protected]>
| wrote:
|
| >Pat wrote:
| >> if someone is able to place files on my server, would they showup with
| >> a PUT command in the log file?
| >
| >Possibly, if thats how they were placed there. But there are many other
ways
| >to do it.
| >
|
|

Kyle Cui [MSFT] · Jan 27, 2004

Pat · Jan 27, 2004

thanks for the response

Hi Pat,

Thanks for the update.

WebDAV is enabled by default on IIS5. Considering the possible security
risk, it is disabled since IIS 6.

For IIS 5, as I suggested before, you can disable it if it is not necessary
for your web site. If you need WebDAV, please use IIS Lockdown and URLscan
utility to keep your web site in secure.

If you have any futher concerns, please feel free to let me know.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Mon, 26 Jan 2004 19:32:00 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20552
| X-Tomcat-NG: microsoft.public.win2000.security
|
|
| Kyle,
| how is webdav enabled?
|
| On Mon, 26 Jan 2004 16:02:05 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for posting here! I am sorry to hear the difficutlies you
| >encountered.
| >
| >As Robert mentioned before, there may various methods for hackers to
attack
| >an unsecure web site. So it may be not easy for us to tell how they put
the
| >file in your web site.
| >
| >The Propfind command is an webdav method which retrieves properties for
a
| >resource identified by the request Uniform Resource Identifier (URI). In
| >this case, it seems that you enabled WebDAV Publishing on your web site.
As
| >Basic authentication is used by WebDAV by default and the username and
| >password are transferred in plain text during basic authentication, I am
| >afraid that this may be the cause that this issue ocurred.
| >
| >I would like to confirm whether WebDAV is necessary for your web site.
If
| >not, you may refer to the following KB article to disable it in IIS:
| >241520 How to Disable WebDAV for IIS 5.0
| >http://support.microsoft.com/?id=241520
| >
| >If you need WebDAV publishing, it is suggested that you use SSL with
basic
| >authentication for WebDAV publishing. To do so, please refer to the
| >following KB article:
| >323470 HOW TO: Create a Secure WebDAV Publishing Directory
| >http://support.microsoft.com/?id=323470
| >
| >Moreover, you may want to use IIS Lockdown and URLScan tools to
configure
| >Web servers in secure. For your convenience, I included the following
| >WebCast which provide an overview for administrators about how to use
these
| >tools.
| >817807 Support WebCast: Internet Information Services: Configuring IIS
Using
| >http://support.microsoft.com/?id=817807
| >
| >If you have any further concerns, please post into the following group
for
| >more info:
| >microsoft.public.inetserver.iis.security
| >
| >I hope this info helps!
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Sun, 25 Jan 2004 18:52:48 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09

Click to expand...

Pat · Jan 27, 2004

if someone got in my site using the propfind command, would they need
an user account, if so how would they get that?

Hi Pat,

Thanks for the update.

WebDAV is enabled by default on IIS5. Considering the possible security
risk, it is disabled since IIS 6.

For IIS 5, as I suggested before, you can disable it if it is not necessary
for your web site. If you need WebDAV, please use IIS Lockdown and URLscan
utility to keep your web site in secure.

If you have any futher concerns, please feel free to let me know.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Mon, 26 Jan 2004 19:32:00 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20552
| X-Tomcat-NG: microsoft.public.win2000.security
|
|
| Kyle,
| how is webdav enabled?
|
| On Mon, 26 Jan 2004 16:02:05 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for posting here! I am sorry to hear the difficutlies you
| >encountered.
| >
| >As Robert mentioned before, there may various methods for hackers to
attack
| >an unsecure web site. So it may be not easy for us to tell how they put
the
| >file in your web site.
| >
| >The Propfind command is an webdav method which retrieves properties for
a
| >resource identified by the request Uniform Resource Identifier (URI). In
| >this case, it seems that you enabled WebDAV Publishing on your web site.
As
| >Basic authentication is used by WebDAV by default and the username and
| >password are transferred in plain text during basic authentication, I am
| >afraid that this may be the cause that this issue ocurred.
| >
| >I would like to confirm whether WebDAV is necessary for your web site.
If
| >not, you may refer to the following KB article to disable it in IIS:
| >241520 How to Disable WebDAV for IIS 5.0
| >http://support.microsoft.com/?id=241520
| >
| >If you need WebDAV publishing, it is suggested that you use SSL with
basic
| >authentication for WebDAV publishing. To do so, please refer to the
| >following KB article:
| >323470 HOW TO: Create a Secure WebDAV Publishing Directory
| >http://support.microsoft.com/?id=323470
| >
| >Moreover, you may want to use IIS Lockdown and URLScan tools to
configure
| >Web servers in secure. For your convenience, I included the following
| >WebCast which provide an overview for administrators about how to use
these
| >tools.
| >817807 Support WebCast: Internet Information Services: Configuring IIS
Using
| >http://support.microsoft.com/?id=817807
| >
| >If you have any further concerns, please post into the following group
for
| >more info:
| >microsoft.public.inetserver.iis.security
| >
| >I hope this info helps!
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Sun, 25 Jan 2004 18:52:48 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09

Click to expand...

Kyle Cui [MSFT] · Jan 28, 2004

Thanks for your reply, Pat!

As we discussed before, basic authentication is used by WebDAV by default,
so the username and password are transferred in plain text during basic
authentication (without SSL involved). In this situation, it is easy for an
attacker to trace your network traffic and find the username and password.
That's why I suggested before, when you would like to use WebDAV, you need
use SSL with basic authentication. For your convenience, I included the
following link to the KB about about to use SSL for WebDAV again:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, when you publish your web site to the Internet, please make sure
that you use IIS Lockdown and URLscan to protect your web site. More info
here:
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

Hope this helps to explain.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Tue, 27 Jan 2004 14:17:22 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20606
| X-Tomcat-NG: microsoft.public.win2000.security
|
| if someone got in my site using the propfind command, would they need
| an user account, if so how would they get that?
|
| On Tue, 27 Jan 2004 17:37:22 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for the update.
| >
| >WebDAV is enabled by default on IIS5. Considering the possible security
| >risk, it is disabled since IIS 6.
| >
| >For IIS 5, as I suggested before, you can disable it if it is not
necessary
| >for your web site. If you need WebDAV, please use IIS Lockdown and
URLscan
| >utility to keep your web site in secure.
| >
| >If you have any futher concerns, please feel free to let me know.
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Mon, 26 Jan 2004 19:32:00 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| ><[email protected]>
| ><[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|

Pat · Jan 28, 2004

thanks for all the help.

Thanks for your reply, Pat!

As we discussed before, basic authentication is used by WebDAV by default,
so the username and password are transferred in plain text during basic
authentication (without SSL involved). In this situation, it is easy for an
attacker to trace your network traffic and find the username and password.
That's why I suggested before, when you would like to use WebDAV, you need
use SSL with basic authentication. For your convenience, I included the
following link to the KB about about to use SSL for WebDAV again:
323470 HOW TO: Create a Secure WebDAV Publishing Directory
http://support.microsoft.com/?id=323470

Moreover, when you publish your web site to the Internet, please make sure
that you use IIS Lockdown and URLscan to protect your web site. More info
here:
817807 Support WebCast: Internet Information Services: Configuring IIS Using
http://support.microsoft.com/?id=817807

Hope this helps to explain.

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Pat <[email protected]>
| Subject: Re: Hacked Site
| Date: Tue, 27 Jan 2004 14:17:22 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#8#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| Lines: 1
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.
phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:20606
| X-Tomcat-NG: microsoft.public.win2000.security
|
| if someone got in my site using the propfind command, would they need
| an user account, if so how would they get that?
|
| On Tue, 27 Jan 2004 17:37:22 GMT, (e-mail address removed) ("Kyle
| Cui [MSFT]") wrote:
|
| >Hi Pat,
| >
| >Thanks for the update.
| >
| >WebDAV is enabled by default on IIS5. Considering the possible security
| >risk, it is disabled since IIS 6.
| >
| >For IIS 5, as I suggested before, you can disable it if it is not
necessary
| >for your web site. If you need WebDAV, please use IIS Lockdown and
URLscan
| >utility to keep your web site in secure.
| >
| >If you have any futher concerns, please feel free to let me know.
| >
| >Have a great day!
| >
| >Thanks & Regards,
| >
| >Kyle Cui
| >Microsoft Online Partner Support
| >MCSE2000, MCDBA2000
| >
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and confers no
rights.
| >--------------------
| >| From: Pat <[email protected]>
| >| Subject: Re: Hacked Site
| >| Date: Mon, 26 Jan 2004 19:32:00 -0500
| >| Message-ID: <[email protected]>
| >| References: <[email protected]>
| ><[email protected]>
| ><[email protected]>
| ><#8#[email protected]>
| ><[email protected]>
| ><[email protected]>
| >| X-Newsreader: Forte Agent 1.93/32.576 English (American)
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset=us-ascii
| >| Content-Transfer-Encoding: 7bit
| >| Newsgroups: microsoft.public.win2000.security
| >| NNTP-Posting-Host: mail.htechnology.com 198.65.193.67
| >| Lines: 1
| >| Path:
|

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08

Click to expand...

Kyle Cui [MSFT] · Jan 29, 2004

Hacked	3	Feb 17, 2004
Help on Hacked Server	1	Sep 4, 2003
My server hacked...	2	Jan 26, 2004
Hacked -- FTP Server Running	18	Jul 5, 2003
IPSec between 2 firewalls - possibilites/ideas?	1	Jul 15, 2005
HELP! We got hacked.	4	Nov 10, 2003
HACKED!!!! Can't delete folders	15	Apr 17, 2005
Win2k machine hacked with Serv-U FTP etc	5	May 29, 2006

Hacked Site

Pat

Robert Moir

Pat

Robert Moir

Pat

Karl Levinson [x y] mvp

ssshades2

Pat

Pat

Kyle Cui [MSFT]

Robert Moir

Pat

Pat

Kyle Cui [MSFT]

Pat

Pat

Kyle Cui [MSFT]

Pat

Kyle Cui [MSFT]

Ask a Question

Similar Threads