Yeah, that is my concern. While nothing seems to be done to the server except the "defacing" I want to make sure whoever got in this time can't get back in. The server had a couple of win2k security updates waiting to be applied that were applied after the fact. Yeah im figuring its IIS as well. It's weird, lots of examples of it when googled, lot's of forum posts about it but no one seems to have anything posted about what is being exploited to gain access.
-----Original Message----- From: Dave Watts [mailto:[email protected]] Sent: Wednesday, May 27, 2009 1:08 PM To: cf-talk Subject: Re: (ot) Hacked by Fatal Error > Has anyone seen this or had this occur - Basically they replace the default > docs in the wwwroot (index.htm, html, asp, default.htm, html, asp, etc.) > with a file with only html and css in it that shows a picture of Homer > Simpson and the massage Hacked By Fatal Error and something along the lines > of "hey admin take care of server". We saw it on one internal dev server > and I am just trying to figure out what is exploited to be able to drop the > files on. The only things open are ports 80 and 21 (ftp logs show no > activity in over a week), the files in question were created yesterday. I > really just want to know that the server itself isn't compromised and this > was just a defacing and also prevent it from occurring again. The server is > fully patched win2k and we also shut off ftp this morning since usage of it > is pretty non-existant anymore since all dev is on-site. While this is "just a defacing", you have no guarantee that the server isn't compromised - essentially, that's what a defacing requires. Was the server fully patched prior to this morning? My offhand guess is that it's an IIS exploit, and after all IIS 5 is pretty old; there were plenty of IIS 5 exploits back in the day. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more informat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322835 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
