KillUSA attacks

Discussion in 'Computer Science & Culture' started by Rambler, May 8, 2001.

Thread Status:
Not open for further replies.
  1. Rambler Senior Member Registered Senior Member

    Messages:
    509
    Hi All,

    I have a question for all you bright people. We were hacked over the weekend by one of those chinese honker wankers. We're a freaking Australian site nothing to do with the USA or China and the mongrols still had a shot at us. I think its because our address is just ".com" and hence the bright honkers assumed it was US. Anyways I found how they hacked in and closed the door but they've done something to our IIS (5) service. As soon as you start the website it replaces all the index and default pages with their propaganda. I can't find any sign of where this process is running from, I suspect it must be part of a system dll.

    Anyone have any ideas on how to find this freaking code??
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. wet1 Wanderer Registered Senior Member

    Messages:
    8,616
    Hackers

    One of the problems with hackers and code is finding all that was done. I know this is going to sound stupid but do you have a backup? Can you go in and find what files were altered on the given date? Isolating the altered files will go a long way towards identifying what might have been accessed and altered. You may have no choice but to reload the system if you can not identify the altered files. I recommend that you get a firewall. I know that it is to late to change what has already been altered but if they have your address there is nothing to prevent those hackers from coming back after you spend an immense time straightening out the damage done. With a backup it is merely a matter of reloading from the last time you backed up, returning the system back to a point when you had no troubles. I am not a programmer so what I’m telling you may useless info. Good luck on the hunting of your bugs. Lastly you do not mention what kind of operating system you are using. I'll assume Windows as you mention .dll files. There is the possibility that you might be able to get one of the Norton Utilities or visit the Microsoft site for some help.
     
    Last edited: May 8, 2001
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Rambler Senior Member Registered Senior Member

    Messages:
    509
    Thanks wet1

    I was afraid I'd have to re-build the server...they didn't get far only to our front-end, we do have a firewall and intrusion detectors etc etc etc its secure, well as secure as microsoft will let you be. Without going into specifics they actually got in on port 80 (HTTP)...so a firewall wouldn't have stopped it. I've closed that hole now as I said but no matter what I do I can't find what they've done. I replace the index.html and default.html files start the service and they get overwritten by freakin chinese propaganda.


    Anyways looks like a mighty long night for me.


    Thanks for the reply though.
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Bowser Life is Fatal. Valued Senior Member

    Messages:
    6,075
    What's the URL for your site?
     
  8. dexter ROOT Registered Senior Member

    Messages:
    689
    i am interested.. how did they get in?? what all did they do, but mostly, how did they get in???

    and as bowser asked, what is the URL??

    -dexter
     
  9. Rambler Senior Member Registered Senior Member

    Messages:
    509
    Microsoft hole

    They actually got in on port 80, possibly 443 (HTTP, and HTTPS)....now ordinarly these ports should be safe to have open for web servers.....unless ofcourse you are running 2000 server and IIS5. In IIS5 you can send a http print request via the IPP protocol. The print request is handled in the local security context hence what you do is send a request and then make the IPP stack overflow with a trojan. Activate the trojan (no problem because its handled in local security context) and your in...with FULL LOCAL SECURITY ACCESS. You then run an NT password ripper and voila you've got a slave to utilise for DDOS attacks.

    Luckily they only vandalised our site with chinses propaganda.

    Microsoft has released a patch for this and we have since implmented it. However these attacks happened in april (we got hit early may) but the patch was not available until the 1st of may.
     
  10. [f] Registered Senior Member

    Messages:
    48
    IIS "has more holes that swiss cheese"...to quote almost ever IT proffesional ever to have lived.

    there are free web servers that you could use..

    http://www.apache.org/

    http://www.nusphere.com/

    both offer free web server software.....with less holes.

    I willl ask around and see if anyonr eknows what they might have done. And i'lll get back to you.
     
  11. Radical Registered Senior Member

    Messages:
    151
    taken from cnn.com

    The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh also warned of the vulnerability later Thursday.

    A vulnerability exists in the HTTP server component of the IOS software. By requesting a particular URL from the server, a malicious user can bypass the authentication controls and execute commands on the device at the highest privilege level, Level 15, Cisco said.

    Only devices with the HTTP server software enabled and with user names and passwords stored on the device -- the local authentication database -- are vulnerable, the company said. The issue affects all releases of Cisco IOS software starting with Release 11.3.

    Once a hacker has gained access he could redirect data traffic, allowing him to intercept or modify the data. Additionally he could change or delete the device configuration, effectively disabling the router or switch until an engineer reprograms it, said Cisco Security and Network Management Systems Engineer Tames van der Does.

    The HTTP server in IOS is used for remote management of the router or switch. However, a configuration with the HTTP server enabled and the local database for authentication used is a rarity, according to Van der Does.

    "Most engineers use Telnet to access their network hardware and have a central Terminal Access Controller Access Control System or Radius server to authenticate users for all their networking hardware," he said, adding that the HTTP server is switched off by default on Cisco hardware.

    Routers and switches direct network traffic and are used to interconnect computer networks. Cisco's hardware is used around the world by small and large businesses as well as home users.

    Cisco has made software fixes available to plug the hole.
     
  12. kmguru Staff Member

    Messages:
    11,757
    So that next time it does not happen, I suggest a clean OS install with all your apps. Once that works, make a back up bootable copy. Store that backup harddrive separately. If you have a serious breach, you can replace with a clean boot.

    Another way is to maintain a separate server isolated from network with identical apps. Switch it when you have a serious problem. This too can be backed up in to a CD-ROM. You can use a RAMdisk also if needed. Isolated backup server is the best solution...
     
Thread Status:
Not open for further replies.

Share This Page