defacement by Turkish hacker

defacement by Turkish hacker

am 25.04.2007 05:20:00 von Jheer

2007-04-20 01:59:43UTC 88.229.55.206 Hacked By Nið-DeLi
Defaced a page on just 1 of my sites. PUT /index.htm to plant the file using
Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1,
was the method. I have since repaired this per MS KB 241520. prob should
suggest others disable the same as defacements are rising. Not sure if other
platforms accept the PUT request. In IIS it responds with a 400 error (bad
request) but WebDAV is still able to replace index.htm. out of all the sites
on the server, 1 site was on root that was defaced, subs were not affected.
Hope this helps someone else avoid a defacement.

Re: defacement by Turkish hacker

am 25.04.2007 06:39:36 von Bernard

They could come in via many channels.
The safest thing is to rebuild the box, you never know if there's backdoor
left open.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Jheer" wrote in message
news:D5CC7112-F73D-4FB3-8ABA-D3DB22D6135A@microsoft.com...
> 2007-04-20 01:59:43UTC 88.229.55.206 Hacked By Nið-DeLi
> Defaced a page on just 1 of my sites. PUT /index.htm to plant the file
> using
> Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1,
> was the method. I have since repaired this per MS KB 241520. prob should
> suggest others disable the same as defacements are rising. Not sure if
> other
> platforms accept the PUT request. In IIS it responds with a 400 error (bad
> request) but WebDAV is still able to replace index.htm. out of all the
> sites
> on the server, 1 site was on root that was defaced, subs were not
> affected.
> Hope this helps someone else avoid a defacement.

Re: defacement by Turkish hacker

am 25.04.2007 17:12:03 von Jheer

My concern was that this server had approx 45 days running time. All the
windows updates had been run. Believing this was patched as of April 24,
2003, I was left unaware this was open. I believed it should have been
included in the windows updates, but was wrong. The point is, how many admins
are believing their 2000/iis5.0 is safe when it is open for attack?

This patch can be installed on systems running Windows 2000 Service Pack 2
or Service Pack 3. (I have SP4 and install will not complete at that SP
level.)
I have reloaded, and regedited my system to disable WebDAV.

It appears this has been a problem with most web servers that offer WebDAV
usage, not just MS. But the word needs to get out to Admins. Recent attackes
have used this method for attack.

"Bernard Cheah [MVP]" wrote:

> They could come in via many channels.
> The safest thing is to rebuild the box, you never know if there's backdoor
> left open.
>
> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://www.iis-resources.com/
> http://msmvps.com/blogs/bernard/
>
>
> "Jheer" wrote in message
> news:D5CC7112-F73D-4FB3-8ABA-D3DB22D6135A@microsoft.com...
> > 2007-04-20 01:59:43UTC 88.229.55.206 Hacked By Nið-DeLi
> > Defaced a page on just 1 of my sites. PUT /index.htm to plant the file
> > using
> > Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1,
> > was the method. I have since repaired this per MS KB 241520. prob should
> > suggest others disable the same as defacements are rising. Not sure if
> > other
> > platforms accept the PUT request. In IIS it responds with a 400 error (bad
> > request) but WebDAV is still able to replace index.htm. out of all the
> > sites
> > on the server, 1 site was on root that was defaced, subs were not
> > affected.
> > Hope this helps someone else avoid a defacement.
>
>
>