Home page logo
/

basics logo Security Basics mailing list archives

Compromised Server Project
From: "Hunt, Jim" <Jim.Hunt () nwsc k12 in us>
Date: Fri, 7 Feb 2003 14:52:50 -0500

I keep reading how quickly unsecured servers on high speed connections
can be compromised.  Is it really as bad as they keep saying?  Just how
long could a server (IIS 6 on Windows 2003 Server RC2) remain safe when
just sitting quietly and not offering an Internet presence?

The box is a standard desktop (Pentium 4).  The connection is a full T1.
It sits outside my firewall with no protection other than a medium
difficult password on the administrator account.  The built-in software
firewall similar to the one in Windows XP is not activated.  You can
ping the box and it will reply.

There are no web pages being served other than a basic page indicating
it is a web server and the OS.  FrontPage 2002 Extensions are also
installed.  It also has the INETPUB Folder installed on the same c:\
partition as the operating system.  

There really has been so special security other than a default
installation and the basic Windows Update patches.  Well, it has been
over 6 weeks since installation and nobody has gotten into the box.
Yeah, I know someone working at it could compromise it but the casual
scans and script kiddies just keep passing it by.  (There are many
attempts recorded in the logs.)

I got bored waiting and decided to add an FTP Server and allow
read/write access for anyone.  I was also disappointed that after 12
hours, it hadn't been touched.  Another 6 hours went by and still
nothing.  Maybe Internet hacking was dead we didn't need firewalls
anymore.

Well, it didn't make it 24 hours before it compromised.  (Yes, I did
kind of help it along.)  I received about 160 MB of files uploaded.
They left this message:

For Team Tacheron Universal - Scanned'n'Upped by Sol

There were a couple of downloads of those files before I turned off the
FTP Service.  (The files were Karaoke; nothing good!)  So what am I
saying?  A misconfigured FTP Server with anonymous read/write access was
quickly used by someone.  

The HTTP Server seems to be remarkably secure against all common
vulnerabilities.  This was using the default installation.  

I also didn't install any Antivirus software on the box but did due a
full scan using the online scan from Trend Micro and it came up clean so
no Trojans were dropped.  

Please note this was not a scientific study but something born out of
boredom by myself.  Stay Secure!  

Jim Hunt
Microsoft Certified Systems Engineer
Northwestern School Corporation
Kokomo, Indiana

http://www.netmon.org
Providing the resources and tools to monitor your network
Includes User Forums


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]