Re: [NTISP] Can anyone shed any light?

Guy Walker ( (no email) )
Wed, 8 Dec 1999 13:00:14 -0800

My guess would be through Cold Fusion. Remove or password protect the cfdocs
directory. Then check the site for security updates and issues.


-----Original Message-----
From: Mark Muldowney <>
To: <>
Date: Wednesday, December 08, 1999 9:03 AM
Subject: [NTISP] Can anyone shed any light?

>Hello list!
>well... my worst fears became reality this weekend.
>A government web site that we host was hacked by an American hacker
>going by the handle of "Sarin". He "0w3ned" the machine for 3 hours
>by replacing the default.htm until i was alerted and could put things
>back in order. This was on a NT4.0 server running IIS4.0 and cold fusion
>with SP4.0 and the latest hotfixes applied. I thought i had it pretty
>but obviously not. We were very pleased to get the government contract as we
>are only a relatively small ISP, now it looks like we may lose the contract
>and be sued as well. The last few days ive gone out of mind trying to fathom
>how he did it. I seem to remember an exploit that was mentions a few months
>ago involving, i believe, isapi filters which gave access to the webroot
>and allowed uploads to the directory, but I've not as yet been able to find
>any information on this. If anybody could offer any advice or help i would
>really appreciate it as it looks as though my job is on the line.
>Ive included these links Ive found to other sarin hacks.
>For more information about this list (including removal) go to:

For more information about this list (including removal) go to: