[isalist] Re: Spykids defacement
- From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 12:56:32 -0500
Doesn't ISA block the same HTTP request as Urlscan?
greg
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of John T (Lists)
Sent: Friday, June 02, 2006 12:27 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement
Sounds like some one's web server is not properly configured and
patched. Ever hear of URLScan and IIS Lockdown?
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Crockett, Gregory
Sent: Friday, June 02, 2006 8:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Spykids defacement
One of our web sites, www.servicesatrandolph.com
<http://www.servicesatrandolph.com/> was defaced by Spykids. The
defacement consisted of:
spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykid\n\
According to the ISA WebProxy, the Client Agent used was: Microsoft Data
Access Internet Publishing Provider DAV 1.1, with the Operation "PUT".
They changed the default.* file.
Since, I turned on HTTP Filter to block the PUT Method. Will this stop
the above intrusion?
Is there anything else I can do to block this intrusion?
Speaking of the proxy log - what's up with the ClientIP field? Should I
have a decoder ring to crack the IP address?
The IIS log revealed the ip address originated in Argentina.
TIA
greg
All mail to and from this domain is scrutinized by the Scrutinizer.
Other related posts:
