[isalist] Re: Spykids defacement

• From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 2 Jun 2006 12:52:29 -0500

They use asp  to upload.

 

greg 

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Friday, June 02, 2006 12:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

 

Ah....

 

How do job seeker's upload their resumes?  Via HTTP?  They wouldn't
happen to use the PUT verb, would they?

 

Full control for a guest account is NOT a good idea.  You might want to
lock that down more.

 

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys

11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

 

________________________________

From: Crockett, Gregory
Sent: Fri 6/2/2006 12:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

I see your point.  I just checked the permissions on the share (which
hangs off an MSCS) - all iusr_ user have full control - not for webdav,
but for job seekers needing to upload their resume.

 

greg

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Friday, June 02, 2006 11:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

 

Yes, anonymous users impersonate the IUSR_ account but on both the
website properties and on NTFS permissions, you can restrict write
access.  Most of the time, unless you're supporting WEBDAV as Jim said,
you usually only need Read and perhaps Execute in both locations for
users to be able to view websites.

 

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys

11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

 

________________________________

From: Crockett, Gregory
Sent: Fri 6/2/2006 12:15 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

Correct me if I am wrong, but, don't all web servers use "anonymous"
(unless you authenticate) for access?  Once anonymous gains access to
the web server, the web server will use it's authentication process to
gain access to content.  In the case of IIS, the default username is
something like domain\iusr_ (sp) -- I think.  I changed all my iusr_
names.

 

greg

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Friday, June 02, 2006 10:23 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

 

Doesn't sound as if your web server is fully patched.  Or it may be but
your permissions for anonymous access aren't as tight as they should be.

 

Should anonymous users have write access to website directories?

 

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys

11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

 

________________________________

From: Crockett, Gregory
Sent: Fri 6/2/2006 11:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Spykids defacement

One of our web sites, http://www.servicesatrandolph.com/ was defaced by
Spykids.  The defacement consisted of: 

 

spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykid\n\

 

According to the ISA WebProxy, the Client Agent used was: Microsoft Data
Access Internet Publishing Provider DAV 1.1, with the Operation "PUT".

 

They changed the default.* file. 

 

Since, I turned on HTTP Filter to block the PUT Method.  Will this stop
the above intrusion?

 

Is there anything else I can do to block this intrusion?

 

Speaking of the proxy log - what's up with the ClientIP field?  Should I
have a decoder ring to crack the IP address?

 

The IIS log revealed the ip address originated in Argentina.

 

TIA

 

greg

All mail to and from this domain is scrutinized by the Scrutinizer.

All mail to and from this domain is scrutinized by the Scrutinizer.

------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server
Blogs: http://blogs.isaserver.org/
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ To unsubscribe
visit http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is scrutinized by the Scrutinizer.

------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server
Blogs: http://blogs.isaserver.org/
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ To unsubscribe
visit http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx 

------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server
Blogs: http://blogs.isaserver.org/
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ To unsubscribe
visit http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx

All mail to and from this domain is scrutinized by the Scrutinizer.

Other related posts:

• » [isalist] Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement

1. Home
2. isalist
3. Archive
4. 06-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---