LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Seeking experiences from NT 4.0 users on web server security (Repeat)

Marty Hoag <[log in to unmask]>

Tue, 7 May 2002 09:12:52 -0500

text/plain (44 lines)

    I got rejections from two of the three peers for the LSTSRV-L list
so I'll try sending this to the server where I'm actually subscribed
(doh).  I apologize for the duplication.  Thanks for those who already
replied.

    We have a LISTSERV(tm) 1.8d running on NT 4.0 using
IIS 3.0.  Not being a windows guru I'd like to pick your brains.

    During the code red/nimda days last fall I had applied SP6a and
the security roll-up (and I renamed or deleted the tftp.exe).
But apparently folks are still able to use specific URLs to run
arbitrary commands as our index.html was hacked over the weekend
("Hacked by [rEd_SigN]... We are : Mad_Skater...".  The perps used
about 11 sets of three characters after /scirpts/ to apparently get
access to the winnt directory so they could run cmd.exe and then just
echoed the text of the page into the index.html .  As part of the
process they also copied cmd.exe to a new directory on the C:
partition as  c:\azrael666\azrael666.exe or something like that. At
least that is what the IIS 3.0 log shows.  But I also saw shorter
strings which looked like they were working too.  Of course, maybe
all that was a red herring.

    I decided to run without the web server while I figure out the
best approach to take.  Some have suggested upgrading to IIS 4.0
or, more drastically, upgrade to W2K w/ IIS 5.0 (and all the security
fixes of course).

   Others have mentioned Apache for Windows.  Have any of you
upgraded from IIS 3.0 to Apache on NT 4.0?  What was involved (time,
gotchas, etc.).  Or if you are running it on W2K would you recommend
going to that?

    I've wondered if the cmd.exe is used by system processes or
mainly by "command prompts" such that I could rename it to something
else since all the web exploits seem to depend on knowing where that
will be and what it is named.  I'd like to buy some time until we can
replace the system with something running latest versions of W2K and
web servers (I've usually found that easy to do when hardware is
upgraded ;-).

    Any suggestions would be appreciated.  Thanks.

    marty

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM