Home page logo

basics logo Security Basics mailing list archives

Re: Compromised Server Project
From: "Brian Wojtczak ( Lawyers Online )" <astrolox () lawyersonline co uk>
Date: Wed, 12 Feb 2003 10:25:17 +0000


I think the major reason that you weren't "attacked" sooner is because the box was doing nothing.

I must also point out ( as someone else did ) that a plain install which hasn't got anything interesting on it would 
look like to trap to most hackers. 

My guess is that if you put some web site up on the box and publish the address then you would have been a much more 
inviting target.

We don't run any windows servers yet I'm constantly seeing Nimda or code red style attacks against our servers. Stuff 
that only works against windows. I find that these attacks happen most often during the night ( GMT ), I'm guessing 
they are "script kiddies" as I'm not aware of a virus which cares if it's night or day. 

My point is our servers are well published, we host lots of web sites and are in an ip address range with other servers 
which host lots of web sites, and we see IIS attacks every day. 

Brian, Lawyers Online

At 14:52 07/02/2003 -0500, you wrote:
I keep reading how quickly unsecured servers on high speed connections
can be compromised.  Is it really as bad as they keep saying?  Just how
long could a server (IIS 6 on Windows 2003 Server RC2) remain safe when
just sitting quietly and not offering an Internet presence?

The box is a standard desktop (Pentium 4).  The connection is a full T1.
It sits outside my firewall with no protection other than a medium
difficult password on the administrator account.  The built-in software
firewall similar to the one in Windows XP is not activated.  You can
ping the box and it will reply.

There are no web pages being served other than a basic page indicating
it is a web server and the OS.  FrontPage 2002 Extensions are also
installed.  It also has the INETPUB Folder installed on the same c:\
partition as the operating system.  

There really has been so special security other than a default
installation and the basic Windows Update patches.  Well, it has been
over 6 weeks since installation and nobody has gotten into the box.
Yeah, I know someone working at it could compromise it but the casual
scans and script kiddies just keep passing it by.  (There are many
attempts recorded in the logs.)

I got bored waiting and decided to add an FTP Server and allow
read/write access for anyone.  I was also disappointed that after 12
hours, it hadn't been touched.  Another 6 hours went by and still
nothing.  Maybe Internet hacking was dead we didn't need firewalls

Well, it didn't make it 24 hours before it compromised.  (Yes, I did
kind of help it along.)  I received about 160 MB of files uploaded.
They left this message:

For Team Tacheron Universal - Scanned'n'Upped by Sol

There were a couple of downloads of those files before I turned off the
FTP Service.  (The files were Karaoke; nothing good!)  So what am I
saying?  A misconfigured FTP Server with anonymous read/write access was
quickly used by someone.  

The HTTP Server seems to be remarkably secure against all common
vulnerabilities.  This was using the default installation.  

I also didn't install any Antivirus software on the box but did due a
full scan using the online scan from Trend Micro and it came up clean so
no Trojans were dropped.  

Please note this was not a scientific study but something born out of
boredom by myself.  Stay Secure!  

Jim Hunt
Microsoft Certified Systems Engineer
Northwestern School Corporation
Kokomo, Indiana

Providing the resources and tools to monitor your network
Includes User Forums

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]