Any chance we could look at the IIS logs? That might answer most of the attack vector questions assuming the attack was web based.
-- Sent from my Mobile Device On Jan 21, 2011 6:14 AM, Ryan Sears <[email protected]> wrote: Hey guys, Perhaps it was something on top of dotnetnuke? There have been quite a few bugs posted in their security bulletins (http://www.dotnetnuke.com/News/SecurityPolicy/tabid/940/Default.aspx - at the bottom) as well as securityfocus (I believe - too many seclists to keep them all straight :-P). Just a thought! I'm curious as to how the initial compromise happened as well. Would you be willing to share the files used in the compromise? The community may be able to trace its origins, and potentially shut down a malicious C&C node for other compromised websites (as I have done in the past), or possibly trace it to a trend of malware, or the initial vector so you can patch/remediate it. Regards, Ryan Sears ----- Original Message ----- From: "Timothy Ouellette" <[email protected]> To: "PaulDotCom Security Weekly Mailing List" <[email protected]> Sent: Thursday, January 20, 2011 11:39:16 PM GMT -05:00 US/Canada Eastern Subject: Re: [Pauldotcom] Web Server Hacked I'm more interested in the attack vector than the actual hack... anyone know how the files actually got replaced? Any chance your both running the same version of IIS or Apache? Or possibly similar ports available on webservers etc.. ----- Original Message ----- From: Ariany Mizrahi To: PaulDotCom Security Weekly Mailing List Sent: Thursday, January 20, 2011 7:46 PM Subject: Re: [Pauldotcom] Web Server Hacked We actually just had one of our web servers hacked yesterday around 6:50am. index.asp was replaced. Cheers, Ari http://www.securityoverflow.net On Thu, Jan 20, 2011 at 6:53 PM, Mike Smith <[email protected]> wrote: Hello, I would like to know if anyone has had a web server attacked using these files. 1) default.asp 2) index.asp 3) main.asp 4)shell.asp I have file 1,2,3, but not 4, I do not know if it was successfully uploaded, then deleted. Thanks, Mike _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ------------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
