[NTISP] Can anyone shed any light?

Mark Muldowney ( (no email) )
Wed, 8 Dec 1999 17:02:44 -0000

Hello list!
well... my worst fears became reality this weekend.
A government web site that we host was hacked by an American hacker
going by the handle of "Sarin". He "0w3ned" the machine for 3 hours
by replacing the default.htm until i was alerted and could put things
back in order. This was on a NT4.0 server running IIS4.0 and cold fusion
with SP4.0 and the latest hotfixes applied. I thought i had it pretty
but obviously not. We were very pleased to get the government contract as we
are only a relatively small ISP, now it looks like we may lose the contract
and be sued as well. The last few days ive gone out of mind trying to fathom
how he did it. I seem to remember an exploit that was mentions a few months
ago involving, i believe, isapi filters which gave access to the webroot
and allowed uploads to the directory, but I've not as yet been able to find
any information on this. If anybody could offer any advice or help i would
really appreciate it as it looks as though my job is on the line.
Ive included these links Ive found to other sarin hacks.




For more information about this list (including removal) go to: