KillUSA attacks

Hi All,

I have a question for all you bright people. We were hacked over the weekend by one of those chinese honker wankers. We're a freaking Australian site nothing to do with the USA or China and the mongrols still had a shot at us. I think its because our address is just ".com" and hence the bright honkers assumed it was US. Anyways I found how they hacked in and closed the door but they've done something to our IIS (5) service. As soon as you start the website it replaces all the index and default pages with their propaganda. I can't find any sign of where this process is running from, I suspect it must be part of a system dll.

Anyone have any ideas on how to find this freaking code??

 

Log in or Sign up to hide all adverts.

Hackers

One of the problems with hackers and code is finding all that was done. I know this is going to sound stupid but do you have a backup? Can you go in and find what files were altered on the given date? Isolating the altered files will go a long way towards identifying what might have been accessed and altered. You may have no choice but to reload the system if you can not identify the altered files. I recommend that you get a firewall. I know that it is to late to change what has already been altered but if they have your address there is nothing to prevent those hackers from coming back after you spend an immense time straightening out the damage done. With a backup it is merely a matter of reloading from the last time you backed up, returning the system back to a point when you had no troubles. I am not a programmer so what I’m telling you may useless info. Good luck on the hunting of your bugs. Lastly you do not mention what kind of operating system you are using. I'll assume Windows as you mention .dll files. There is the possibility that you might be able to get one of the Norton Utilities or visit the Microsoft site for some help.

 

Log in or Sign up to hide all adverts.

Thanks wet1

I was afraid I'd have to re-build the server...they didn't get far only to our front-end, we do have a firewall and intrusion detectors etc etc etc its secure, well as secure as microsoft will let you be. Without going into specifics they actually got in on port 80 (HTTP)...so a firewall wouldn't have stopped it. I've closed that hole now as I said but no matter what I do I can't find what they've done. I replace the index.html and default.html files start the service and they get overwritten by freakin chinese propaganda.


Anyways looks like a mighty long night for me.


Thanks for the reply though.

 

Log in or Sign up to hide all adverts.

What's the URL for your site?

 

i am interested.. how did they get in?? what all did they do, but mostly, how did they get in???

and as bowser asked, what is the URL??

-dexter

 

Microsoft hole

They actually got in on port 80, possibly 443 (HTTP, and HTTPS)....now ordinarly these ports should be safe to have open for web servers.....unless ofcourse you are running 2000 server and IIS5. In IIS5 you can send a http print request via the IPP protocol. The print request is handled in the local security context hence what you do is send a request and then make the IPP stack overflow with a trojan. Activate the trojan (no problem because its handled in local security context) and your in...with FULL LOCAL SECURITY ACCESS. You then run an NT password ripper and voila you've got a slave to utilise for DDOS attacks.

Luckily they only vandalised our site with chinses propaganda.

Microsoft has released a patch for this and we have since implmented it. However these attacks happened in april (we got hit early may) but the patch was not available until the 1st of may.

 

IIS "has more holes that swiss cheese"...to quote almost ever IT proffesional ever to have lived.

there are free web servers that you could use..

http://www.apache.org/

http://www.nusphere.com/

both offer free web server software.....with less holes.

I willl ask around and see if anyonr eknows what they might have done. And i'lll get back to you.

 

taken from cnn.com

The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh also warned of the vulnerability later Thursday.

A vulnerability exists in the HTTP server component of the IOS software. By requesting a particular URL from the server, a malicious user can bypass the authentication controls and execute commands on the device at the highest privilege level, Level 15, Cisco said.

Only devices with the HTTP server software enabled and with user names and passwords stored on the device -- the local authentication database -- are vulnerable, the company said. The issue affects all releases of Cisco IOS software starting with Release 11.3.

Once a hacker has gained access he could redirect data traffic, allowing him to intercept or modify the data. Additionally he could change or delete the device configuration, effectively disabling the router or switch until an engineer reprograms it, said Cisco Security and Network Management Systems Engineer Tames van der Does.

The HTTP server in IOS is used for remote management of the router or switch. However, a configuration with the HTTP server enabled and the local database for authentication used is a rarity, according to Van der Does.

"Most engineers use Telnet to access their network hardware and have a central Terminal Access Controller Access Control System or Radius server to authenticate users for all their networking hardware," he said, adding that the HTTP server is switched off by default on Cisco hardware.

Routers and switches direct network traffic and are used to interconnect computer networks. Cisco's hardware is used around the world by small and large businesses as well as home users.

Cisco has made software fixes available to plug the hole.