<snip!> > As far as switching to another Platform, I'd like to know what > platform Mike thinks is secure? (please oh please say Apache... > you apparently arent paying attention to the security bulletins > for it are you?)
OK; I'll take the bait even though this wasn't addressed to me specifically. Yes, I would sooner (and have) opted for Apache over IIS when looking for a "secure" web server. Facts: - Unlike IIS, Apache does not need to run with any system-level privileges whatsoever. The result? Even if Apache itself is compromised, it's impossible to take over the rest of the system. - Unlike IIS, Apache does not need access to the entire system to run. Apache can be boxed into a little tiny world (on UNIX platforms via chroot()) that has absolutely nothing other than Apache and the web content it serves. The result? Even if Apache itself is compromised, it's impossible to see any files on the system other than those directly related to Apache and the content it serves. - Unlike IIS, and assuming that Apache is running with system-level privileges despite not needing to, Apache hasn't had a flaw that would lead to a complete system compromise since 01/1997. Prior to that, there was one other flaw that would lead directly to a complete system compromise, and that was in 03/1996. (source: http://www.securityfocus.com/cgi-bin/vulns.pl ; search for Apache Group -> Apache) - Apache vulnerabilities: A total of 23 security-related flaws have been found in Apache over the course of its entire life, over all supported platforms. Of these, 2 were classified as "high threat" vulnerabilities, 12 as "medium threat" vulnerabilities, and 9 as "low threat" vulnerabilities. (source: http://www.securityfocus.com/cgi-bin/vulns.pl ; search for Apache Group -> Apache) - IIS vulnerabilities: A total of 80 security-related flaws have been found in IIS over the course of its entire life. Of these, 15 were classified as "high threat" vulnerabilities, 38 as "medium threat" vulnerabilities, 28 as "low threat" vulnerabilities, and the remaining are unclassified. (source: http://www.securityfocus.com/cgi-bin/vulns.pl ; search for Microsoft -> IIS) Based upon this information, it strikes me that: - Apache has a significantly better security track record than IIS [0]. - Apache can be significantly better secured than IIS. If you further consider the Web server platform most targeted on the Internet (IIS), and the havoc that is wrought when such attacks are successful (think NIMDA and Code Red), it's clear that IIS isn't the most secure choice in Web servers, and that Apache is a much more secure choice. -Bill [0] = Particularly when you consider that several of the security flaws in Apache are platform-specific (e.g., they only impact the Windows or Mac platforms), and that the majority of them can be easily mitigated with appropriate configuration -- unlike IIS. Note that "appropriate configuration" in this context does NOT mean retroactively applying security patches. > -----Original Message----- > From: d.schneider [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 18, 2002 8:38 AM > To: Marc Suxdorf; [EMAIL PROTECTED] > Subject: RE: [gb-users] Not Gnatbox but security related > > > Marc, root.exe is cmd.exe renamed by the worm. If there are no traces of > this on your system (more specifically in inetpub/scripts/ or > system32) you > are not infected. > Apply the proper patches as you should be doing anyway. > As Chris stated..Any person that runs a webserver sees these everyday.. I > actually have webtrends scripts just to show how many i get a day.. > If your patched, your fine. > As far as switching to another Platform, I'd like to know what > platform Mike > thinks is secure? (please oh please say Apache...you apparently > arent paying > attention to the security bulletins for it are you?) > -d > > -----Original Message----- > From: Chris Green [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 18, 2002 7:34 AM > To: Marc Suxdorf; Mike Burden; [EMAIL PROTECTED] > Subject: RE: [gb-users] Not Gnatbox but security related > > > That was an attempt to use an early IIS flaw that allowed directory > traversal. If you run a web server on the net you will see > regular attempts > to exploit them. If you are patched there is nothing to worry > about. What > you could do though is forward your logs to the admins at the isp > from which > they originated. I have had many accounts shut down with firewall/web > server logs. > > Chris Green > > > -----Original Message----- > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > Sent: Thu 1/17/2002 10:40 AM > To: 'Mike Burden'; [EMAIL PROTECTED] > Cc: > Subject: AW: [gb-users] Not Gnatbox but security related > > > > Mike and everyone else: Thanks a lot for the quick replies! > > This is really worrying! > I couldn't find root.exe on any of our machines, but what about the > attempts > to run cmd.exe on our server? > > We have IIS 5 with the latest patches. > > Thanks for any comforting.... > > Marc > > Suxdorf Studios für Design > Milchstrasse 6b > D-20148 Hamburg > Tel +49 (40) 41345-100 > Fax +49 (40) 41345-101 > Email [EMAIL PROTECTED] > > -----Ursprüngliche Nachricht----- > Von: Mike Burden [mailto:[EMAIL PROTECTED]] > Gesendet: Donnerstag, 17. Januar 2002 17:18 > An: [EMAIL PROTECTED] > Betreff: RE: [gb-users] Not Gnatbox but security related > > Looks like either a hack attempt or one of the > "worms" that propogate through IIS vulnerabilities. > > Use "Find Files" to look for "root.exe" on your > server. If you find it, you've been hacked or > infected. > > Best option: > Move to a webserver that doesn't have quite so > many security flaws > > If you HAVE to stick with IIS: > - Reformat the machine, reload the OS > - Upgrade IIS to version 5 or later > - Apply the latest cumulative patch and any > patches after it from: > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur > ity/current.asp?productid=17&servicepackid=0&submit1=go > - Follow Microsoft's checklist for IIS 5: > > http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodt > echnol/iis/tips/iis5chk.asp > (click on "IIS 5 Security Considerations" at the top > of the right side pane) > > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > > -----Original Message----- > > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 17, 2002 11:09 AM > > To: [EMAIL PROTECTED] > > Subject: [gb-users] Not Gnatbox but security related > > > > > > Hi everyone > > > > I have to administer our small company network in my spare time > which > > hopefully explains my little security knowledge... > > I have just come across a scary entry in our Windows 2000 > > Server Internet > > Information Services 5.0 log: > > > > 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET > > /scripts/root.exe > > /c+dir 403 www - > > 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET > > /MSADC/root.exe /c+dir > > 403 www - > > 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET > > /c/winnt/system32/cmd.exe /c+dir 403 www - > > 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET > > /d/winnt/system32/cmd.exe /c+dir 403 www - > > 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www - > > > > Is someone currently executing terrible things on our server? > > > > I would be very greatfull for any quick help and/or explanation! > > > > Thanks a lot and best wishes to everyone > > > > Marc > > > > Suxdorf Studios für Design > > Milchstrasse 6b > > D-20148 Hamburg > > Tel +49 (40) 41345-100 > > Fax +49 (40) 41345-101 > > Email [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > To subscribe to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >
