Urgent help: Possible security breach

When I arrived this morning to my office I noticed that the intranet's
home page was modified: Some images where erased, others changed, etc.
The strange thing is that the modification time is 20:15 and no IT users
work at this hours (work time is 9:00 to 17:00).

I'm now thinking of some security breach. I need you to help me find
which user modified the file, from which host or IP, and -of course- if
my servers have some backdoors opened.

This is my platform:
- 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
- All service packs and security updates applied.
- IIS 6 has Frontpage extensions
- All servers have Symantec Corporate Antivirus (virus definitions updated).
- Internet access is controller with ISA Server 2004
- Access to servers is physically restricted to only 2 persons, so
there's no way for someone to login locally.
- Most servers operations are done via Remote Desktop.


I already checked:
- Shares: there are no shares in the INETPUB directory, and all other
shares are only restricted to administrators.
- Event Viewer: I couldn't find any entry related to the default.htm
file (home page)

Thanks in advanced for you help and suggestions!
Gaspar

Re: Urgent help: Possible security breach

a) Is it possible someone guessed a password for one of your user accounts?

b) Is it possible that an application you have running on the IIS6 servers
has a bug that allows the application to be subverted (e.g. via SQL
Injection or similar) that in turn allows the content to be altered?

Cheers
Ken

"Gaspar" wrote in message
news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
> When I arrived this morning to my office I noticed that the intranet's
> home page was modified: Some images where erased, others changed, etc.
> The strange thing is that the modification time is 20:15 and no IT users
> work at this hours (work time is 9:00 to 17:00).
>
> I'm now thinking of some security breach. I need you to help me find which
> user modified the file, from which host or IP, and -of course- if my
> servers have some backdoors opened.
>
> This is my platform:
> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
> - All service packs and security updates applied.
> - IIS 6 has Frontpage extensions
> - All servers have Symantec Corporate Antivirus (virus definitions
> updated).
> - Internet access is controller with ISA Server 2004
> - Access to servers is physically restricted to only 2 persons, so there's
> no way for someone to login locally.
> - Most servers operations are done via Remote Desktop.
>
>
> I already checked:
> - Shares: there are no shares in the INETPUB directory, and all other
> shares are only restricted to administrators.
> - Event Viewer: I couldn't find any entry related to the default.htm file
> (home page)
>
> Thanks in advanced for you help and suggestions!
> Gaspar

Re: Urgent help: Possible security breach

a) Maybe... I'll reset admin passwords
b) No SQL data was modified, only the .htm itself

Thanks for your help

Ken Schaefer wrote:
> a) Is it possible someone guessed a password for one of your user accounts?
>
> b) Is it possible that an application you have running on the IIS6
> servers has a bug that allows the application to be subverted (e.g. via
> SQL Injection or similar) that in turn allows the content to be altered?
>
> Cheers
> Ken
>
> "Gaspar" wrote in message
> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>> When I arrived this morning to my office I noticed that the intranet's
>> home page was modified: Some images where erased, others changed, etc.
>> The strange thing is that the modification time is 20:15 and no IT
>> users work at this hours (work time is 9:00 to 17:00).
>>
>> I'm now thinking of some security breach. I need you to help me find
>> which user modified the file, from which host or IP, and -of course-
>> if my servers have some backdoors opened.
>>
>> This is my platform:
>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003
>> servers.
>> - All service packs and security updates applied.
>> - IIS 6 has Frontpage extensions
>> - All servers have Symantec Corporate Antivirus (virus definitions
>> updated).
>> - Internet access is controller with ISA Server 2004
>> - Access to servers is physically restricted to only 2 persons, so
>> there's no way for someone to login locally.
>> - Most servers operations are done via Remote Desktop.
>>
>>
>> I already checked:
>> - Shares: there are no shares in the INETPUB directory, and all other
>> shares are only restricted to administrators.
>> - Event Viewer: I couldn't find any entry related to the default.htm
>> file (home page)
>>
>> Thanks in advanced for you help and suggestions!
>> Gaspar
>

Re: Urgent help: Possible security breach

How do you actually get page updates to the site? FTP?
Just because the files were changed doesn't mean the "www" service was
hacked,..it generally doesn't do uploads anyway. If you do it with FTP, check
the FTP Service Logs,...they will show the connnection, the login, the download,
the upload, everything.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

"Gaspar" wrote in message
news:%23eKKaucfHHA.4916@TK2MSFTNGP06.phx.gbl...
> a) Maybe... I'll reset admin passwords
> b) No SQL data was modified, only the .htm itself
>
> Thanks for your help
>
> Ken Schaefer wrote:
>> a) Is it possible someone guessed a password for one of your user accounts?
>>
>> b) Is it possible that an application you have running on the IIS6 servers
>> has a bug that allows the application to be subverted (e.g. via SQL Injection
>> or similar) that in turn allows the content to be altered?
>>
>> Cheers
>> Ken
>>
>> "Gaspar" wrote in message
>> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>>> When I arrived this morning to my office I noticed that the intranet's home
>>> page was modified: Some images where erased, others changed, etc.
>>> The strange thing is that the modification time is 20:15 and no IT users
>>> work at this hours (work time is 9:00 to 17:00).
>>>
>>> I'm now thinking of some security breach. I need you to help me find which
>>> user modified the file, from which host or IP, and -of course- if my servers
>>> have some backdoors opened.
>>>
>>> This is my platform:
>>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
>>> - All service packs and security updates applied.
>>> - IIS 6 has Frontpage extensions
>>> - All servers have Symantec Corporate Antivirus (virus definitions updated).
>>> - Internet access is controller with ISA Server 2004
>>> - Access to servers is physically restricted to only 2 persons, so there's
>>> no way for someone to login locally.
>>> - Most servers operations are done via Remote Desktop.
>>>
>>>
>>> I already checked:
>>> - Shares: there are no shares in the INETPUB directory, and all other shares
>>> are only restricted to administrators.
>>> - Event Viewer: I couldn't find any entry related to the default.htm file
>>> (home page)
>>>
>>> Thanks in advanced for you help and suggestions!
>>> Gaspar
>>

Re: Urgent help: Possible security breach

- Files are updated via Frontpage Extensions. Only administrators update
files in selected computers in the local network (no modification
allowed outside the company).
- FTP is not installed.


Phillip Windell wrote:
> How do you actually get page updates to the site? FTP?
> Just because the files were changed doesn't mean the "www" service was
> hacked,..it generally doesn't do uploads anyway. If you do it with FTP, check
> the FTP Service Logs,...they will show the connnection, the login, the download,
> the upload, everything.
>

Re: Urgent help: Possible security breach

"Gaspar" wrote in message
news:%23BFRcLdfHHA.1220@TK2MSFTNGP03.phx.gbl...
>- Files are updated via Frontpage Extensions. Only administrators update
>files in selected computers in the local network (no modification allowed
>outside the company).

That is a mistaken idea. If FPSE are installed then edit
can be done from anywhere that can browse to the site.
What accounts have FPSE based edit rights?
Have you examined logs of the IIS server machine and
of the domain controllers for login events at times that
might relate?


> - FTP is not installed.
>
>
> Phillip Windell wrote:
>> How do you actually get page updates to the site? FTP?
>> Just because the files were changed doesn't mean the "www" service was
>> hacked,..it generally doesn't do uploads anyway. If you do it with FTP,
>> check the FTP Service Logs,...they will show the connnection, the login,
>> the download, the upload, everything.
>>

Re: Urgent help: Possible security breach

Ok.
I can't help you with Frontpage Extensions.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

"Gaspar" wrote in message
news:%23BFRcLdfHHA.1220@TK2MSFTNGP03.phx.gbl...
>- Files are updated via Frontpage Extensions. Only administrators update files
>in selected computers in the local network (no modification allowed outside the
>company).
> - FTP is not installed.
>
>
> Phillip Windell wrote:
>> How do you actually get page updates to the site? FTP?
>> Just because the files were changed doesn't mean the "www" service was
>> hacked,..it generally doesn't do uploads anyway. If you do it with FTP,
>> check the FTP Service Logs,...they will show the connnection, the login, the
>> download, the upload, everything.
>>

Re: Urgent help: Possible security breach

What are the last modified timestamps on the modified files?
Are there any other files on the system with similar times?
If there are others, and they are new files, what account is shown
as the owner of them?
What does event log record (i.e. what is audited) and of that
what is contemporaneous to the file timestamps +/- some?

Basically you are trying to see if you can assess the method
used. That could show you whether the machine was compromised
or just the ability to edit web pages. That also could show you the
extent of your exposure (i.e. Was it a machine local account on the
IIS server or a domain account that was used? If domain account
you may need to call all machines into question, depending on what
all you find - i.e. was it only compromise of content edit capabilities
such as use of existing account or was it worse).

etc.


"Gaspar" wrote in message
news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
> When I arrived this morning to my office I noticed that the intranet's
> home page was modified: Some images where erased, others changed, etc.
> The strange thing is that the modification time is 20:15 and no IT users
> work at this hours (work time is 9:00 to 17:00).
>
> I'm now thinking of some security breach. I need you to help me find which
> user modified the file, from which host or IP, and -of course- if my
> servers have some backdoors opened.
>
> This is my platform:
> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
> - All service packs and security updates applied.
> - IIS 6 has Frontpage extensions
> - All servers have Symantec Corporate Antivirus (virus definitions
> updated).
> - Internet access is controller with ISA Server 2004
> - Access to servers is physically restricted to only 2 persons, so there's
> no way for someone to login locally.
> - Most servers operations are done via Remote Desktop.
>
>
> I already checked:
> - Shares: there are no shares in the INETPUB directory, and all other
> shares are only restricted to administrators.
> - Event Viewer: I couldn't find any entry related to the default.htm file
> (home page)
>
> Thanks in advanced for you help and suggestions!
> Gaspar

Re: Urgent help: Possible security breach

Roger Abell [MVP] wrote:
> "Gaspar" wrote in message
> news:%23BFRcLdfHHA.1220@TK2MSFTNGP03.phx.gbl...
>> - Files are updated via Frontpage Extensions. Only administrators update
>> files in selected computers in the local network (no modification allowed
>> outside the company).
>
> That is a mistaken idea. If FPSE are installed then edit
> can be done from anywhere that can browse to the site.

Yes, I know. I meant that only in "selected computers" we edit this
pages, although this can be down anywhere in our LAN.


> What accounts have FPSE based edit rights?

Only admins

> Have you examined logs of the IIS server machine and
> of the domain controllers for login events at times that
> might relate?

Yes. EventViewer lists some users login in prior this event.
Unfortunately, file audit wasn't enabled in the INETPUB login (Win2003
file audit is disable by default, but now I enabled it).

Thanks again

>
>
>> - FTP is not installed.
>>
>>
>> Phillip Windell wrote:
>>> How do you actually get page updates to the site? FTP?
>>> Just because the files were changed doesn't mean the "www" service was
>>> hacked,..it generally doesn't do uploads anyway. If you do it with FTP,
>>> check the FTP Service Logs,...they will show the connnection, the login,
>>> the download, the upload, everything.
>>>
>
>

Re: Urgent help: Possible security breach

> What are the last modified timestamps on the modified files?
> Are there any other files on the system with similar times?
> If there are others, and they are new files, what account is shown
> as the owner of them?
> What does event log record (i.e. what is audited) and of that
> what is contemporaneous to the file timestamps +/- some?

I checked for files modified in the same time (aprox.) but only that was
modified. No other data was compromised.

I always try to stay ahead with security practices but this is the first
time that something likes this happens in our company (the union in
strike, so.... well, maybe i'm paranoid).

Thanks!

>
> Basically you are trying to see if you can assess the method
> used. That could show you whether the machine was compromised
> or just the ability to edit web pages. That also could show you the
> extent of your exposure (i.e. Was it a machine local account on the
> IIS server or a domain account that was used? If domain account
> you may need to call all machines into question, depending on what
> all you find - i.e. was it only compromise of content edit capabilities
> such as use of existing account or was it worse).
>
> etc.
>
>
> "Gaspar" wrote in message
> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>> When I arrived this morning to my office I noticed that the intranet's
>> home page was modified: Some images where erased, others changed, etc.
>> The strange thing is that the modification time is 20:15 and no IT users
>> work at this hours (work time is 9:00 to 17:00).
>>
>> I'm now thinking of some security breach. I need you to help me find which
>> user modified the file, from which host or IP, and -of course- if my
>> servers have some backdoors opened.
>>
>> This is my platform:
>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
>> - All service packs and security updates applied.
>> - IIS 6 has Frontpage extensions
>> - All servers have Symantec Corporate Antivirus (virus definitions
>> updated).
>> - Internet access is controller with ISA Server 2004
>> - Access to servers is physically restricted to only 2 persons, so there's
>> no way for someone to login locally.
>> - Most servers operations are done via Remote Desktop.
>>
>>
>> I already checked:
>> - Shares: there are no shares in the INETPUB directory, and all other
>> shares are only restricted to administrators.
>> - Event Viewer: I couldn't find any entry related to the default.htm file
>> (home page)
>>
>> Thanks in advanced for you help and suggestions!
>> Gaspar
>
>

Re: Urgent help: Possible security breach

"Gaspar" wrote in message
news:%23B4lOmdfHHA.5052@TK2MSFTNGP06.phx.gbl...
>
>
> Roger Abell [MVP] wrote:
>> "Gaspar" wrote in message
>> news:%23BFRcLdfHHA.1220@TK2MSFTNGP03.phx.gbl...
>>> - Files are updated via Frontpage Extensions. Only administrators update
>>> files in selected computers in the local network (no modification
>>> allowed outside the company).
>>
>> That is a mistaken idea. If FPSE are installed then edit
>> can be done from anywhere that can browse to the site.
>
> Yes, I know. I meant that only in "selected computers" we edit this pages,
> although this can be down anywhere in our LAN.
>

Or from anywhere in the world if the IIS responds to internet
based browsing.

>
>> What accounts have FPSE based edit rights?
>
> Only admins
>
>> Have you examined logs of the IIS server machine and
>> of the domain controllers for login events at times that
>> might relate?
>
> Yes. EventViewer lists some users login in prior this event.
> Unfortunately, file audit wasn't enabled in the INETPUB login (Win2003
> file audit is disable by default, but now I enabled it).
>

Be careful as it is easy to generate too much when auditing
filesystem accesses, generating considerable overhead and
making the security log difficult to use to notice things that
are more important.

> Thanks again
>
>>
>>
>>> - FTP is not installed.
>>>
>>>
>>> Phillip Windell wrote:
>>>> How do you actually get page updates to the site? FTP?
>>>> Just because the files were changed doesn't mean the "www" service was
>>>> hacked,..it generally doesn't do uploads anyway. If you do it with
>>>> FTP, check the FTP Service Logs,...they will show the connnection, the
>>>> login, the download, the upload, everything.
>>>>
>>

Re: Urgent help: Possible security breach

"Gaspar" wrote in message
news:et7Y9odfHHA.1816@TK2MSFTNGP06.phx.gbl...
>> What are the last modified timestamps on the modified files?
>> Are there any other files on the system with similar times?
>> If there are others, and they are new files, what account is shown
>> as the owner of them?
>> What does event log record (i.e. what is audited) and of that
>> what is contemporaneous to the file timestamps +/- some?
>
> I checked for files modified in the same time (aprox.) but only that was
> modified. No other data was compromised.
>

Your IIS server logs might have been configured to record the
user account info as they tested the pages changed.
If the accounts that could change were domain accounts, do not
limit yourself to looking at only the IIS server. And be sure to
check everywhere for filetimes, not just the inetpub area.
It would be good to look at the NTFS permissions on the content,
not just trusting what the FPSE admin interface claims as those
with edit capable roles.

> I always try to stay ahead with security practices but this is the first
> time that something likes this happens in our company (the union in
> strike, so.... well, maybe i'm paranoid).
>

So were the changes such as one might expect if related to
company issues, or are they more what one would expect
for general defacement?

I am still not clear is this IIS serves only intranet accesses.

>>
>> Basically you are trying to see if you can assess the method
>> used. That could show you whether the machine was compromised
>> or just the ability to edit web pages. That also could show you the
>> extent of your exposure (i.e. Was it a machine local account on the
>> IIS server or a domain account that was used? If domain account
>> you may need to call all machines into question, depending on what
>> all you find - i.e. was it only compromise of content edit capabilities
>> such as use of existing account or was it worse).
>>
>> etc.
>>
>>
>> "Gaspar" wrote in message
>> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>>> When I arrived this morning to my office I noticed that the intranet's
>>> home page was modified: Some images where erased, others changed, etc.
>>> The strange thing is that the modification time is 20:15 and no IT users
>>> work at this hours (work time is 9:00 to 17:00).
>>>
>>> I'm now thinking of some security breach. I need you to help me find
>>> which user modified the file, from which host or IP, and -of course- if
>>> my servers have some backdoors opened.
>>>
>>> This is my platform:
>>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003
>>> servers.
>>> - All service packs and security updates applied.
>>> - IIS 6 has Frontpage extensions
>>> - All servers have Symantec Corporate Antivirus (virus definitions
>>> updated).
>>> - Internet access is controller with ISA Server 2004
>>> - Access to servers is physically restricted to only 2 persons, so
>>> there's no way for someone to login locally.
>>> - Most servers operations are done via Remote Desktop.
>>>
>>>
>>> I already checked:
>>> - Shares: there are no shares in the INETPUB directory, and all other
>>> shares are only restricted to administrators.
>>> - Event Viewer: I couldn't find any entry related to the default.htm
>>> file (home page)
>>>
>>> Thanks in advanced for you help and suggestions!
>>> Gaspar
>>

Re: Urgent help: Possible security breach

IIS serves only to the intranet.
There are not public (Internet) web servers available. Also, ISA Server
does not have rules for web publishing.

Thanks for your time.


Roger Abell [MVP] wrote:
> "Gaspar" wrote in message
> news:%23B4lOmdfHHA.5052@TK2MSFTNGP06.phx.gbl...
>>
>> Roger Abell [MVP] wrote:
>>> "Gaspar" wrote in message
>>> news:%23BFRcLdfHHA.1220@TK2MSFTNGP03.phx.gbl...
>>>> - Files are updated via Frontpage Extensions. Only administrators update
>>>> files in selected computers in the local network (no modification
>>>> allowed outside the company).
>>> That is a mistaken idea. If FPSE are installed then edit
>>> can be done from anywhere that can browse to the site.
>> Yes, I know. I meant that only in "selected computers" we edit this pages,
>> although this can be down anywhere in our LAN.
>>
>
> Or from anywhere in the world if the IIS responds to internet
> based browsing.
>
>>> What accounts have FPSE based edit rights?
>> Only admins
>>
>>> Have you examined logs of the IIS server machine and
>>> of the domain controllers for login events at times that
>>> might relate?
>> Yes. EventViewer lists some users login in prior this event.
>> Unfortunately, file audit wasn't enabled in the INETPUB login (Win2003
>> file audit is disable by default, but now I enabled it).
>>
>
> Be careful as it is easy to generate too much when auditing
> filesystem accesses, generating considerable overhead and
> making the security log difficult to use to notice things that
> are more important.
>
>> Thanks again
>>
>>>
>>>> - FTP is not installed.
>>>>
>>>>
>>>> Phillip Windell wrote:
>>>>> How do you actually get page updates to the site? FTP?
>>>>> Just because the files were changed doesn't mean the "www" service was
>>>>> hacked,..it generally doesn't do uploads anyway. If you do it with
>>>>> FTP, check the FTP Service Logs,...they will show the connnection, the
>>>>> login, the download, the upload, everything.
>>>>>
>

Re: Urgent help: Possible security breach

I noticed something strange in the INETPUB/WWWRoot: the security tab
list a "account unknown" with Read/Write permissions.

Any idea?

Roger Abell [MVP] wrote:
> "Gaspar" wrote in message
> news:et7Y9odfHHA.1816@TK2MSFTNGP06.phx.gbl...
>>> What are the last modified timestamps on the modified files?
>>> Are there any other files on the system with similar times?
>>> If there are others, and they are new files, what account is shown
>>> as the owner of them?
>>> What does event log record (i.e. what is audited) and of that
>>> what is contemporaneous to the file timestamps +/- some?
>> I checked for files modified in the same time (aprox.) but only that was
>> modified. No other data was compromised.
>>
>
> Your IIS server logs might have been configured to record the
> user account info as they tested the pages changed.
> If the accounts that could change were domain accounts, do not
> limit yourself to looking at only the IIS server. And be sure to
> check everywhere for filetimes, not just the inetpub area.
> It would be good to look at the NTFS permissions on the content,
> not just trusting what the FPSE admin interface claims as those
> with edit capable roles.
>
>> I always try to stay ahead with security practices but this is the first
>> time that something likes this happens in our company (the union in
>> strike, so.... well, maybe i'm paranoid).
>>
>
> So were the changes such as one might expect if related to
> company issues, or are they more what one would expect
> for general defacement?
>
> I am still not clear is this IIS serves only intranet accesses.
>
>>> Basically you are trying to see if you can assess the method
>>> used. That could show you whether the machine was compromised
>>> or just the ability to edit web pages. That also could show you the
>>> extent of your exposure (i.e. Was it a machine local account on the
>>> IIS server or a domain account that was used? If domain account
>>> you may need to call all machines into question, depending on what
>>> all you find - i.e. was it only compromise of content edit capabilities
>>> such as use of existing account or was it worse).
>>>
>>> etc.
>>>
>>>
>>> "Gaspar" wrote in message
>>> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>>>> When I arrived this morning to my office I noticed that the intranet's
>>>> home page was modified: Some images where erased, others changed, etc.
>>>> The strange thing is that the modification time is 20:15 and no IT users
>>>> work at this hours (work time is 9:00 to 17:00).
>>>>
>>>> I'm now thinking of some security breach. I need you to help me find
>>>> which user modified the file, from which host or IP, and -of course- if
>>>> my servers have some backdoors opened.
>>>>
>>>> This is my platform:
>>>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003
>>>> servers.
>>>> - All service packs and security updates applied.
>>>> - IIS 6 has Frontpage extensions
>>>> - All servers have Symantec Corporate Antivirus (virus definitions
>>>> updated).
>>>> - Internet access is controller with ISA Server 2004
>>>> - Access to servers is physically restricted to only 2 persons, so
>>>> there's no way for someone to login locally.
>>>> - Most servers operations are done via Remote Desktop.
>>>>
>>>>
>>>> I already checked:
>>>> - Shares: there are no shares in the INETPUB directory, and all other
>>>> shares are only restricted to administrators.
>>>> - Event Viewer: I couldn't find any entry related to the default.htm
>>>> file (home page)
>>>>
>>>> Thanks in advanced for you help and suggestions!
>>>> Gaspar
>

Re: Urgent help: Possible security breach

"Gaspar" wrote in message
news:erP8t0efHHA.1252@TK2MSFTNGP04.phx.gbl...
>I noticed something strange in the INETPUB/WWWRoot: the security tab list a
>"account unknown" with Read/Write permissions.
>
> Any idea?

Depends.

If that machine currently is able to talk with all authenticating domains'
controllers, then that is a SID that cannot be translated because the
account no longer exists. However, if DCs cannot be contacted or
other issues exist, such as the Netbios Tcp/Ip Helper service being
off, then it is just a failure in obtaining friendly name for the SID (and
would impact display of any principal from that authority).


>
> Roger Abell [MVP] wrote:
>> "Gaspar" wrote in message
>> news:et7Y9odfHHA.1816@TK2MSFTNGP06.phx.gbl...
>>>> What are the last modified timestamps on the modified files?
>>>> Are there any other files on the system with similar times?
>>>> If there are others, and they are new files, what account is shown
>>>> as the owner of them?
>>>> What does event log record (i.e. what is audited) and of that
>>>> what is contemporaneous to the file timestamps +/- some?
>>> I checked for files modified in the same time (aprox.) but only that was
>>> modified. No other data was compromised.
>>>
>>
>> Your IIS server logs might have been configured to record the
>> user account info as they tested the pages changed.
>> If the accounts that could change were domain accounts, do not
>> limit yourself to looking at only the IIS server. And be sure to
>> check everywhere for filetimes, not just the inetpub area.
>> It would be good to look at the NTFS permissions on the content,
>> not just trusting what the FPSE admin interface claims as those
>> with edit capable roles.
>>
>>> I always try to stay ahead with security practices but this is the first
>>> time that something likes this happens in our company (the union in
>>> strike, so.... well, maybe i'm paranoid).
>>>
>>
>> So were the changes such as one might expect if related to
>> company issues, or are they more what one would expect
>> for general defacement?
>>
>> I am still not clear is this IIS serves only intranet accesses.
>>
>>>> Basically you are trying to see if you can assess the method
>>>> used. That could show you whether the machine was compromised
>>>> or just the ability to edit web pages. That also could show you the
>>>> extent of your exposure (i.e. Was it a machine local account on the
>>>> IIS server or a domain account that was used? If domain account
>>>> you may need to call all machines into question, depending on what
>>>> all you find - i.e. was it only compromise of content edit capabilities
>>>> such as use of existing account or was it worse).
>>>>
>>>> etc.
>>>>
>>>>
>>>> "Gaspar" wrote in message
>>>> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>>>>> When I arrived this morning to my office I noticed that the intranet's
>>>>> home page was modified: Some images where erased, others changed, etc.
>>>>> The strange thing is that the modification time is 20:15 and no IT
>>>>> users work at this hours (work time is 9:00 to 17:00).
>>>>>
>>>>> I'm now thinking of some security breach. I need you to help me find
>>>>> which user modified the file, from which host or IP, and -of course-
>>>>> if my servers have some backdoors opened.
>>>>>
>>>>> This is my platform:
>>>>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003
>>>>> servers.
>>>>> - All service packs and security updates applied.
>>>>> - IIS 6 has Frontpage extensions
>>>>> - All servers have Symantec Corporate Antivirus (virus definitions
>>>>> updated).
>>>>> - Internet access is controller with ISA Server 2004
>>>>> - Access to servers is physically restricted to only 2 persons, so
>>>>> there's no way for someone to login locally.
>>>>> - Most servers operations are done via Remote Desktop.
>>>>>
>>>>>
>>>>> I already checked:
>>>>> - Shares: there are no shares in the INETPUB directory, and all other
>>>>> shares are only restricted to administrators.
>>>>> - Event Viewer: I couldn't find any entry related to the default.htm
>>>>> file (home page)
>>>>>
>>>>> Thanks in advanced for you help and suggestions!
>>>>> Gaspar
>>

Re: Urgent help: Possible security breach

Hi,

a) Check Last Modified dates on the files with Successful Logon events in
your DCs to see what accounts may have logged on to modified files.

b) SQL Injection doesn't involve changing any SQL data necessarily. It may
be that they could have used SQL Server stored procs that allow access to a
command shell. You need to do some research on SQL Injection to get an idea
of what's possible:
e.g. http://www.nextgenss.com/papers/advanced_sql_injection.pdf

Cheers
Ken

"Gaspar" wrote in message
news:%23eKKaucfHHA.4916@TK2MSFTNGP06.phx.gbl...
> a) Maybe... I'll reset admin passwords
> b) No SQL data was modified, only the .htm itself
>
> Thanks for your help
>
> Ken Schaefer wrote:
>> a) Is it possible someone guessed a password for one of your user
>> accounts?
>>
>> b) Is it possible that an application you have running on the IIS6
>> servers has a bug that allows the application to be subverted (e.g. via
>> SQL Injection or similar) that in turn allows the content to be altered?
>>
>> Cheers
>> Ken
>>
>> "Gaspar" wrote in message
>> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
>>> When I arrived this morning to my office I noticed that the intranet's
>>> home page was modified: Some images where erased, others changed, etc.
>>> The strange thing is that the modification time is 20:15 and no IT users
>>> work at this hours (work time is 9:00 to 17:00).
>>>
>>> I'm now thinking of some security breach. I need you to help me find
>>> which user modified the file, from which host or IP, and -of course- if
>>> my servers have some backdoors opened.
>>>
>>> This is my platform:
>>> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003
>>> servers.
>>> - All service packs and security updates applied.
>>> - IIS 6 has Frontpage extensions
>>> - All servers have Symantec Corporate Antivirus (virus definitions
>>> updated).
>>> - Internet access is controller with ISA Server 2004
>>> - Access to servers is physically restricted to only 2 persons, so
>>> there's no way for someone to login locally.
>>> - Most servers operations are done via Remote Desktop.
>>>
>>>
>>> I already checked:
>>> - Shares: there are no shares in the INETPUB directory, and all other
>>> shares are only restricted to administrators.
>>> - Event Viewer: I couldn't find any entry related to the default.htm
>>> file (home page)
>>>
>>> Thanks in advanced for you help and suggestions!
>>> Gaspar
>>