Sorry to hear about your difficulties. Microsoft has a site which references
all of the security issues with their products, including IIS 4.0:
http://www.microsoft.com/security
Hope it helps,
Adam
-----Original Message-----
From: Mark Muldowney <mark@oasis-net.co.uk>
To: ntisp@iea-software.com <ntisp@iea-software.com>
Date: Wednesday, December 08, 1999 12:03 PM
Subject: [NTISP] Can anyone shed any light?
>Hello list!
>well... my worst fears became reality this weekend.
>A government web site that we host was hacked by an American hacker
>going by the handle of "Sarin". He "0w3ned" the machine for 3 hours
>by replacing the default.htm until i was alerted and could put things
>back in order. This was on a NT4.0 server running IIS4.0 and cold fusion
>with SP4.0 and the latest hotfixes applied. I thought i had it pretty
>secure,
>but obviously not. We were very pleased to get the government contract as we
>are only a relatively small ISP, now it looks like we may lose the contract
>and be sued as well. The last few days ive gone out of mind trying to fathom
>how he did it. I seem to remember an exploit that was mentions a few months
>ago involving, i believe, isapi filters which gave access to the webroot
>and allowed uploads to the directory, but I've not as yet been able to find
>any information on this. If anybody could offer any advice or help i would
>really appreciate it as it looks as though my job is on the line.
>Ive included these links Ive found to other sarin hacks.
>
>TIA
>
>www.globetechnology.com/archive/gam/News/19990831/RHACK.html
>www.avn.com/html/avn/news/nws/news404.html
>www.zdnet.com/tlkbck/comment/22/0,7056,69065-219555,00.html
>www.paybackproductions.com/links/hackedsites/
>www.hackernews.com/archive/1999/mndm/
>
>Mark
For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart