Well, one of our client's servers has been hacked because they didn't
install the patch. Now we're being asked to help determine the extent of the
hack.
So far we've:
-Checked the created/modified dates on files on the server
-Checked the event and system logs for anything suspicious (security policy
changes etc...)
-Changed all the administrative account passwords
-Installed the patch (and all the others they hadn't) for them!
So far all that's obvious is that two HTML files in two webroot directories
(both index files) have been changed. However, I'm paranoid that despite
there being no direct evidence that the hack was anything but superficial,
the server might still be compromised. While the server is behind a
firewall, it is accessible via port 80, ftp and terminal services. All other
ports are blocked for inbound traffic. It's not a domain controller, but is
part of a domain.
If anyone on the list has any suggestions (save the Microsoft security info)
as to where to look for resources (or any personal experience!) related to
this that would be really appreciated.
Thanks,
Sean Kozey
CTO, cybergod | ecentricarts Inc.
email: [EMAIL PROTECTED]
telephone: 416-644-5000 ext. 224
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
