Actually, the POSIX subsystem mcan be used to hide files in filestreams.... It can be used for a hacker to hide a rootkit on the attacked system....
----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, November 09, 2001 6:16 PM Subject: RE: Location of web root > You couldn't use posix because you would have removed all reference to POSIX > when locking down IIS > > -----Original Message----- > From: Rj Subramanian [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 08, 2001 7:50 PM > To: [EMAIL PROTECTED] > Subject: RE: Location of web root > > > Hey all, > > Directory traversals are one thing, but can anybody think of any reason why > an attacker couldn't use the posix subsystem to navigate to whichever > drive\partition\directory he or she wanted to test? > > Rj Subramanian > Vanir MIS > > > -----Original Message----- > From: Renouf, Phillip [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 06, 2001 4:46 AM > To: [EMAIL PROTECTED] > Subject: RE: Location of web root > > The first major points about placing the wwwroot in a non-standard location > is for the Directory Traversal exploit as you've brought up already. Many > exploits will either rely on, or look for default settings like placing your > websites in the c:\inetpub\wwwroot directory. The way that I generally set > it up is to move the www and ftp roots to another drive, rename the wwwroot > part to something else. I also acl the original inetpub directory so that > only admin has access, remove the default virtual directories and move the > log files off the C: drive. I've got two reasons for moving the logs: get > them out of the standard directory and make sure they are on another drive > so the log can't fill up the drive and bring the server down. Phil > > OK Everyone, I need some help! > > > > I'm trying to articulate the reasons why it's better to place the root > > of a website on a separate partition, or at least in a separate > > directory from > > the application which uses IIS as a front-end... > >
