[isalist] Re: Spykids defacement
- From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 11:15:01 -0500
Correct me if I am wrong, but, don't all web servers use "anonymous"
(unless you authenticate) for access? Once anonymous gains access to
the web server, the web server will use it's authentication process to
gain access to content. In the case of IIS, the default username is
something like domain\iusr_ (sp) -- I think. I changed all my iusr_
names.
greg
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Friday, June 02, 2006 10:23 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Spykids defacement
Doesn't sound as if your web server is fully patched. Or it may be but
your permissions for anonymous access aren't as tight as they should be.
Should anonymous users have write access to website directories?
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
________________________________
From: Crockett, Gregory
Sent: Fri 6/2/2006 11:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Spykids defacement
One of our web sites, http://www.servicesatrandolph.com/ was defaced by
Spykids. The defacement consisted of:
spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykids spykids spykids spykids spykids spykids spykids spykids spykids
spykid\n\
According to the ISA WebProxy, the Client Agent used was: Microsoft Data
Access Internet Publishing Provider DAV 1.1, with the Operation "PUT".
They changed the default.* file.
Since, I turned on HTTP Filter to block the PUT Method. Will this stop
the above intrusion?
Is there anything else I can do to block this intrusion?
Speaking of the proxy log - what's up with the ClientIP field? Should I
have a decoder ring to crack the IP address?
The IIS log revealed the ip address originated in Argentina.
TIA
greg
All mail to and from this domain is scrutinized by the Scrutinizer.
------------------------------------------------------ List Archives:
//www.freelists.org/archives/isalist/ ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and
Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server
Blogs: http://blogs.isaserver.org/
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ To unsubscribe
visit http://www.isaserver.org/pages/isalist.asp Report abuse to
listadmin@xxxxxxxxxxxxx
All mail to and from this domain is scrutinized by the Scrutinizer.
Other related posts:
