[Dshield] funny story about warezers....

Andrew.Patrick@kemperinsurance.com Andrew.Patrick at kemperinsurance.com
Fri Oct 19 19:58:46 GMT 2001


I recently had an interesting incident related to all those wacky warezers
at dip.t-dialin.net:

A friend of mine who works as a SysAdmin calls me up in a panic one
Saturday afternoon, saying he is pretty sure his webserver has been hacked.
I go over to his offices, and this poor little IIS server is just chock
full o' warez...  they had hidden them deep down in one of the
Front-Page-created subdirectories under a virtual website.  They must have
had several gigs of files stored there.

I asked my friend what sort of firewall he was using: "none", came his
reply.  I asked him if he had applied the recent set of patches to his IIS
box: "patches, what patches".  Also, an older unpatched version of Allaire
Cold Fusion was active on the same webserver....
DOH!!

Anyway, we didn't have a lot of time to get things working right, so our
quick fix was to install ZoneAlarm on all their webservers that were
attached to the Internet, and then shut off every single port except  those
that were essential for valid business purposes.  As I left, I recommended
the guy get a real firewall in place, "like YESTERDAY, dude!"

The funniest thing about the entire incident, tho, was how my friend
figured out there was a problem.  No, it was not his IDS system (he didn't
have one).  No, it was not seeing suspicious entries in the IIS logs (he'd
never looked at them).

He noticed something was up because he happened to come into work on a
Saturday, and noticed that the traffic lights on the hub port the warez
server was hooked up to was like SOLID GREEN.  These crazy warezers from
dip.t-dialin.net were using up a sizable fraction of his T1 with their FTP
xfers!!

The Andinator





More information about the list mailing list