Re: [NTISP] Can anyone shed any light?

Petar Nikolich ( (no email) )
Thu, 9 Dec 1999 23:11:16 +0800

A way to minimise the problem should they defeat your security is
to run a job that copies the files from a safe location to the website
on a regular basis i.e. every 10 minutes.

Just make sure the safe copy has permission that make it inaccessible
to change remotely.

Or get a copy of Second Copy 2000 from http://www.centered.com/
which can 'watch' a directory and restore changed files from a
backup automatically.

Very cool software and is cheap as well as being a nifty piece
of backup software.
----- Original Message -----
From: Guy Walker <guy@telmarcorp.com>
To: <ntisp@iea-software.com>
Sent: Thursday, 9 December 1999 5:00
Subject: Re: [NTISP] Can anyone shed any light?

My guess would be through Cold Fusion. Remove or password protect the cfdocs
directory. Then check the allaire.com site for security updates and issues.

Guy

-----Original Message-----
From: Mark Muldowney <mark@oasis-net.co.uk>
To: ntisp@iea-software.com <ntisp@iea-software.com>
Date: Wednesday, December 08, 1999 9:03 AM
Subject: [NTISP] Can anyone shed any light?

>Hello list!
>well... my worst fears became reality this weekend.
>A government web site that we host was hacked by an American hacker
>going by the handle of "Sarin". He "0w3ned" the machine for 3 hours
>by replacing the default.htm until i was alerted and could put things
>back in order. This was on a NT4.0 server running IIS4.0 and cold fusion
>with SP4.0 and the latest hotfixes applied. I thought i had it pretty
>secure,
>but obviously not. We were very pleased to get the government contract as we
>are only a relatively small ISP, now it looks like we may lose the contract
>and be sued as well. The last few days ive gone out of mind trying to fathom
>how he did it. I seem to remember an exploit that was mentions a few months
>ago involving, i believe, isapi filters which gave access to the webroot
>and allowed uploads to the directory, but I've not as yet been able to find
>any information on this. If anybody could offer any advice or help i would
>really appreciate it as it looks as though my job is on the line.
>Ive included these links Ive found to other sarin hacks.
>
>TIA
>
>www.globetechnology.com/archive/gam/News/19990831/RHACK.html
>www.avn.com/html/avn/news/nws/news404.html
>www.zdnet.com/tlkbck/comment/22/0,7056,69065-219555,00.html
>www.paybackproductions.com/links/hackedsites/
>www.hackernews.com/archive/1999/mndm/
>
>Mark
>
>
>
>For more information about this list (including removal) go to:
>http://www.iea-software.com/support/maillists/liststart

For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart

For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart