Re: [NTISP] Can anyone shed any light?

Petar Nikolich ( (no email) )
Thu, 9 Dec 1999 23:11:16 +0800

A way to minimise the problem should they defeat your security is
to run a job that copies the files from a safe location to the website
on a regular basis i.e. every 10 minutes.

Just make sure the safe copy has permission that make it inaccessible
to change remotely.

Or get a copy of Second Copy 2000 from
which can 'watch' a directory and restore changed files from a
backup automatically.

Very cool software and is cheap as well as being a nifty piece
of backup software.
----- Original Message -----
From: Guy Walker <>
To: <>
Sent: Thursday, 9 December 1999 5:00
Subject: Re: [NTISP] Can anyone shed any light?

My guess would be through Cold Fusion. Remove or password protect the cfdocs
directory. Then check the site for security updates and issues.


-----Original Message-----
From: Mark Muldowney <>
To: <>
Date: Wednesday, December 08, 1999 9:03 AM
Subject: [NTISP] Can anyone shed any light?

>Hello list!
>well... my worst fears became reality this weekend.
>A government web site that we host was hacked by an American hacker
>going by the handle of "Sarin". He "0w3ned" the machine for 3 hours
>by replacing the default.htm until i was alerted and could put things
>back in order. This was on a NT4.0 server running IIS4.0 and cold fusion
>with SP4.0 and the latest hotfixes applied. I thought i had it pretty
>but obviously not. We were very pleased to get the government contract as we
>are only a relatively small ISP, now it looks like we may lose the contract
>and be sued as well. The last few days ive gone out of mind trying to fathom
>how he did it. I seem to remember an exploit that was mentions a few months
>ago involving, i believe, isapi filters which gave access to the webroot
>and allowed uploads to the directory, but I've not as yet been able to find
>any information on this. If anybody could offer any advice or help i would
>really appreciate it as it looks as though my job is on the line.
>Ive included these links Ive found to other sarin hacks.
>For more information about this list (including removal) go to:

For more information about this list (including removal) go to:

For more information about this list (including removal) go to: