Home page logo

basics logo Security Basics mailing list archives

Compromised Server Project
From: "Hunt, Jim" <Jim.Hunt () nwsc k12 in us>
Date: Fri, 7 Feb 2003 14:52:50 -0500

I keep reading how quickly unsecured servers on high speed connections
can be compromised.  Is it really as bad as they keep saying?  Just how
long could a server (IIS 6 on Windows 2003 Server RC2) remain safe when
just sitting quietly and not offering an Internet presence?

The box is a standard desktop (Pentium 4).  The connection is a full T1.
It sits outside my firewall with no protection other than a medium
difficult password on the administrator account.  The built-in software
firewall similar to the one in Windows XP is not activated.  You can
ping the box and it will reply.

There are no web pages being served other than a basic page indicating
it is a web server and the OS.  FrontPage 2002 Extensions are also
installed.  It also has the INETPUB Folder installed on the same c:\
partition as the operating system.  

There really has been so special security other than a default
installation and the basic Windows Update patches.  Well, it has been
over 6 weeks since installation and nobody has gotten into the box.
Yeah, I know someone working at it could compromise it but the casual
scans and script kiddies just keep passing it by.  (There are many
attempts recorded in the logs.)

I got bored waiting and decided to add an FTP Server and allow
read/write access for anyone.  I was also disappointed that after 12
hours, it hadn't been touched.  Another 6 hours went by and still
nothing.  Maybe Internet hacking was dead we didn't need firewalls

Well, it didn't make it 24 hours before it compromised.  (Yes, I did
kind of help it along.)  I received about 160 MB of files uploaded.
They left this message:

For Team Tacheron Universal - Scanned'n'Upped by Sol

There were a couple of downloads of those files before I turned off the
FTP Service.  (The files were Karaoke; nothing good!)  So what am I
saying?  A misconfigured FTP Server with anonymous read/write access was
quickly used by someone.  

The HTTP Server seems to be remarkably secure against all common
vulnerabilities.  This was using the default installation.  

I also didn't install any Antivirus software on the box but did due a
full scan using the online scan from Trend Micro and it came up clean so
no Trojans were dropped.  

Please note this was not a scientific study but something born out of
boredom by myself.  Stay Secure!  

Jim Hunt
Microsoft Certified Systems Engineer
Northwestern School Corporation
Kokomo, Indiana

Providing the resources and tools to monitor your network
Includes User Forums

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]