[isalist] Re: Spykids defacement

• From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 2 Jun 2006 12:48:03 -0700

Yes, but just because the front door of the building has a security guard
standing there checking everything and everyone out next you do not assume
some one in the building is free to do what ever they please.

 

John T

eServices For You

 

"Seek, and ye shall find!"

 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Crockett, Gregory
Sent: Friday, June 02, 2006 10:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

 

Doesn't ISA block the same HTTP request as Urlscan?

 

greg

 

  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of John T (Lists)
Sent: Friday, June 02, 2006 12:27 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement

 

Sounds like some one's web server is not properly configured and patched.
Ever hear of URLScan and IIS Lockdown?

 

John T

eServices For You

 

"Seek, and ye shall find!"

 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Crockett, Gregory
Sent: Friday, June 02, 2006 8:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Spykids defacement

 

One of our web sites, www.servicesatrandolph.com
<http://www.servicesatrandolph.com/>  was defaced by Spykids.  The
defacement consisted of: 

 

spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykid\n\

 

According to the ISA WebProxy, the Client Agent used was: Microsoft Data
Access Internet Publishing Provider DAV 1.1, with the Operation "PUT".

 

They changed the default.* file. 

 

Since, I turned on HTTP Filter to block the PUT Method.  Will this stop the
above intrusion?

 

Is there anything else I can do to block this intrusion?

 

Speaking of the proxy log - what's up with the ClientIP field?  Should I
have a decoder ring to crack the IP address?

 

The IIS log revealed the ip address originated in Argentina.

 

TIA

 

greg

All mail to and from this domain is scrutinized by the Scrutinizer.

• References:
  • [isalist] Re: Spykids defacement
    • From: Crockett, Gregory

Other related posts:

• » [isalist] Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement
• » [isalist] Re: Spykids defacement

1. Home
2. isalist
3. Archive
4. 06-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---