When I arrived this morning to my office I noticed that the intranet's
home page was modified: Some images where erased, others changed, etc.
The strange thing is that the modification time is 20:15 and no IT users
work at this hours (work time is 9:00 to 17:00).

I'm now thinking of some security breach. I need you to help me find
which user modified the file, from which host or IP, and -of course- if
my servers have some backdoors opened.

This is my platform:
- 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
- All service packs and security updates applied.
- IIS 6 has Frontpage extensions
- All servers have Symantec Corporate Antivirus (virus definitions updated).
- Internet access is controller with ISA Server 2004
- Access to servers is physically restricted to only 2 persons, so
there's no way for someone to login locally.
- Most servers operations are done via Remote Desktop.


I already checked:
- Shares: there are no shares in the INETPUB directory, and all other
shares are only restricted to administrators.
- Event Viewer: I couldn't find any entry related to the default.htm
file (home page)

Thanks in advanced for you help and suggestions!
Gaspar

[ Post a follow-up to this message ]

a) Is it possible someone guessed a password for one of your user accounts?

b) Is it possible that an application you have running on the IIS6 servers
has a bug that allows the application to be subverted (e.g. via SQL
Injection or similar) that in turn allows the content to be altered?

Cheers
Ken

"Gaspar" <gaspar@no-reply.com> wrote in message
news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl...
> When I arrived this morning to my office I noticed that the intranet's
> home page was modified: Some images where erased, others changed, etc.
> The strange thing is that the modification time is 20:15 and no IT users
> work at this hours (work time is 9:00 to 17:00).
>
> I'm now thinking of some security breach. I need you to help me find which
> user modified the file, from which host or IP, and -of course- if my
> servers have some backdoors opened.
>
> This is my platform:
> - 2 Windows 2003 domain controllers, and 3 secondary windows 2003 servers.
> - All service packs and security updates applied.
> - IIS 6 has Frontpage extensions
> - All servers have Symantec Corporate Antivirus (virus definitions
> updated).
> - Internet access is controller with ISA Server 2004
> - Access to servers is physically restricted to only 2 persons, so there's
> no way for someone to login locally.
> - Most servers operations are done via Remote Desktop.
>
>
> I already checked:
> - Shares: there are no shares in the INETPUB directory, and all other
> shares are only restricted to administrators.
> - Event Viewer: I couldn't find any entry related to the default.htm file
> (home page)
>
> Thanks in advanced for you help and suggestions!
> Gaspar

[ Post a follow-up to this message ]

a) Maybe... I'll reset admin passwords
b) No SQL data was modified, only the .htm itself

Thanks for your help

Ken Schaefer wrote:
> a) Is it possible someone guessed a password for one of your user accounts
?
>
> b) Is it possible that an application you have running on the IIS6
> servers has a bug that allows the application to be subverted (e.g. via
> SQL Injection or similar) that in turn allows the content to be altered?
>
> Cheers
> Ken
>
> "Gaspar" <gaspar@no-reply.com> wrote in message
> news:ewt7vScfHHA.2640@TK2MSFTNGP06.phx.gbl... 
>

[ Post a follow-up to this message ]

How do you actually get page updates to the site?  FTP?
Just because the files were changed doesn't mean the "www" service was
hacked,..it generally doesn't do uploads anyway.  If you do it with FTP, che
ck
the FTP Service Logs,...they will show the connnection, the login, the downl
oad,
the upload, everything.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, 
or
anyone else associated with me, including my cats.
-----------------------------------------------------

"Gaspar" <gaspar@no-reply.com> wrote in message
news:%23eKKaucfHHA.4916@TK2MSFTNGP06.phx.gbl...[vbcol=seagreen]
> a) Maybe... I'll reset admin passwords
> b) No SQL data was modified, only the .htm itself
>
> Thanks for your help
>
> Ken Schaefer wrote: 

[ Post a follow-up to this message ]

- Files are updated via Frontpage Extensions. Only administrators update
files in selected computers in the local network (no modification
allowed outside the company).
- FTP is not installed.


Phillip Windell wrote:
> How do you actually get page updates to the site?  FTP?
> Just because the files were changed doesn't mean the "www" service was
> hacked,..it generally doesn't do uploads anyway.  If you do it with FTP, c
heck
> the FTP Service Logs,...they will show the connnection, the login, the dow
nload,
> the upload, everything.
>

[ Post a follow-up to this message ]

"Gaspar" <gaspar@no-reply.com> wrote in message
news:%23BFRcLdfHHA.1220@TK2MSFTNGP03.phx.gbl...
>- Files are updated via Frontpage Extensions. Only administrators update
>files in selected computers in the local network (no modification allowed
>outside the company).

That is a mistaken idea.  If FPSE are installed then edit
can be done from anywhere that can browse to the site.
What accounts have FPSE based edit rights?
Have you examined logs of the IIS server machine and
of the domain controllers for login events at times that
might relate?

[vbcol=seagreen]
> - FTP is not installed.
>
>
> Phillip Windell wrote: 

[ Post a follow-up to this message ]

"Gaspar" <gaspar@no-reply.com> wrote in message
news:et7Y9odfHHA.1816@TK2MSFTNGP06.phx.gbl... 
>
> I checked for files modified in the same time (aprox.) but only that was
> modified. No other data was compromised.
>

Your IIS server logs might have been configured to record the
user account info as they tested the pages changed.
If the accounts that could change were domain accounts, do not
limit yourself to looking at only the IIS server.  And be sure to
check everywhere for filetimes, not just the inetpub area.
It would be good to look at the NTFS permissions on the content,
not just trusting what the FPSE admin interface claims as those
with edit capable roles.

> I always try to stay ahead with security practices but this is the first
> time that something likes this happens in our company (the union in
> strike, so.... well, maybe i'm paranoid).
>

So were the changes such as one might expect if related to
company issues, or are they more what one would expect
for general defacement?

I am still not clear is this IIS serves only intranet accesses.
[vbcol=seagreen] 

[ Post a follow-up to this message ]

IIS serves only to the intranet.
There are not public (Internet) web servers available. Also, ISA Server
does not have rules for web publishing.

Thanks for your time.


Roger Abell [MVP] wrote:
> "Gaspar" <gaspar@no-reply.com> wrote in message
> news:%23B4lOmdfHHA.5052@TK2MSFTNGP06.phx.gbl... 
>
> Or from anywhere in the world if the IIS responds to internet
> based browsing.
> 
>
> Be careful as it is easy to generate too much when auditing
> filesystem accesses, generating considerable overhead and
> making the security log difficult to use to notice things that
> are more important.
> 
>

[ Post a follow-up to this message ]

I noticed something strange in the INETPUB/WWWRoot: the security tab
list a "account unknown" with Read/Write permissions.

Any idea?

Roger Abell [MVP] wrote:
> "Gaspar" <gaspar@no-reply.com> wrote in message
> news:et7Y9odfHHA.1816@TK2MSFTNGP06.phx.gbl... 
>
> Your IIS server logs might have been configured to record the
> user account info as they tested the pages changed.
> If the accounts that could change were domain accounts, do not
> limit yourself to looking at only the IIS server.  And be sure to
> check everywhere for filetimes, not just the inetpub area.
> It would be good to look at the NTFS permissions on the content,
> not just trusting what the FPSE admin interface claims as those
> with edit capable roles.
> 
>
> So were the changes such as one might expect if related to
> company issues, or are they more what one would expect
> for general defacement?
>
> I am still not clear is this IIS serves only intranet accesses.
> 
>

[ Post a follow-up to this message ]

"Gaspar" <gaspar@no-reply.com> wrote in message
news:erP8t0efHHA.1252@TK2MSFTNGP04.phx.gbl...
>I noticed something strange in the INETPUB/WWWRoot: the security tab list a
>"account unknown" with Read/Write permissions.
>
> Any idea?

Depends.

If that machine currently is able to talk with all authenticating domains'
controllers, then that is a SID that cannot be translated because the
account no longer exists.  However, if DCs cannot be contacted or
other issues exist, such as the Netbios Tcp/Ip Helper service being
off, then it is just a failure in obtaining friendly name for the SID (and
would impact display of any principal from that authority).

[vbcol=seagreen]
>
> Roger Abell [MVP] wrote: 

[ Post a follow-up to this message ]