They use asp to upload. greg ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Young, Gerald G Sent: Friday, June 02, 2006 12:23 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement Ah.... How do job seeker's upload their resumes? Via HTTP? They wouldn't happen to use the PUT verb, would they? Full control for a guest account is NOT a good idea. You might want to lock that down more. Cordially yours, Jerry G. Young II MCSE (4.0/W2K) Atlanta EES Implementation Team Lead HHS Engineering Unisys 11493 Sunset Hills Rd. Reston, VA 20190 Office: 703-579-2727 Cell: 703-625-1468 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. ________________________________ From: Crockett, Gregory Sent: Fri 6/2/2006 12:33 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement I see your point. I just checked the permissions on the share (which hangs off an MSCS) - all iusr_ user have full control - not for webdav, but for job seekers needing to upload their resume. greg ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Young, Gerald G Sent: Friday, June 02, 2006 11:20 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement Yes, anonymous users impersonate the IUSR_ account but on both the website properties and on NTFS permissions, you can restrict write access. Most of the time, unless you're supporting WEBDAV as Jim said, you usually only need Read and perhaps Execute in both locations for users to be able to view websites. Cordially yours, Jerry G. Young II MCSE (4.0/W2K) Atlanta EES Implementation Team Lead HHS Engineering Unisys 11493 Sunset Hills Rd. Reston, VA 20190 Office: 703-579-2727 Cell: 703-625-1468 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. ________________________________ From: Crockett, Gregory Sent: Fri 6/2/2006 12:15 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement Correct me if I am wrong, but, don't all web servers use "anonymous" (unless you authenticate) for access? Once anonymous gains access to the web server, the web server will use it's authentication process to gain access to content. In the case of IIS, the default username is something like domain\iusr_ (sp) -- I think. I changed all my iusr_ names. greg ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Young, Gerald G Sent: Friday, June 02, 2006 10:23 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement Doesn't sound as if your web server is fully patched. Or it may be but your permissions for anonymous access aren't as tight as they should be. Should anonymous users have write access to website directories? Cordially yours, Jerry G. Young II MCSE (4.0/W2K) Atlanta EES Implementation Team Lead HHS Engineering Unisys 11493 Sunset Hills Rd. Reston, VA 20190 Office: 703-579-2727 Cell: 703-625-1468 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. ________________________________ From: Crockett, Gregory Sent: Fri 6/2/2006 11:06 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Spykids defacement One of our web sites, http://www.servicesatrandolph.com/ was defaced by Spykids. The defacement consisted of: spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykids spykid\n\ According to the ISA WebProxy, the Client Agent used was: Microsoft Data Access Internet Publishing Provider DAV 1.1, with the Operation "PUT". They changed the default.* file. Since, I turned on HTTP Filter to block the PUT Method. Will this stop the above intrusion? Is there anything else I can do to block this intrusion? Speaking of the proxy log - what's up with the ClientIP field? Should I have a decoder ring to crack the IP address? The IIS log revealed the ip address originated in Argentina. TIA greg All mail to and from this domain is scrutinized by the Scrutinizer. All mail to and from this domain is scrutinized by the Scrutinizer. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is scrutinized by the Scrutinizer. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is scrutinized by the Scrutinizer.