intermodal's Journal: anniversary and security

ok, so two things of note this weekend, first of which was my first anniversary on sunday the 6th.

Secondly, I have been asked by a church (no, i know better than to post the URL on slashdot) has asked me to try to break into their web server to try to find out what the pastor's son did to leave a note saying he broke in. I suspect he did it from inside the building, but my request was to see what I could do about busting in from outside. so far, all i've gathered (not including inside knowledge I already had) is that nmap is useless against it, there is a firewall in place, there is IIS 5.0 running on something NT based, and I have the IP address. I highly suspect either his dad left a password around, or that he physically accessed the server or other box behind the firewall. Any of you security experts out there have suggestions? I think they may be behind a hardware firewall, as I had to hit port 80 on telnet with a bad request to find out the IIS part.

Hmmmm

[jawtheshark]

While no security expert: try downloading some rootkits for IIS and at least see if it's vulnerable.

However it is most likely an inside job. You know, easily guessable passwords (a simple dictionary attack is often enough) or the famous 'post-it under keyboard'.
I just suggest to change the password to something more sensible like "H4cK7Hi5K1dd0" and dare the kid to do it over again. Of course, don't write it down, after all that one is easy to remember.

Happy anniversary by the way.

looking for a rootkit?

[(H)elix1]

I just happen to have a kit - thanks to someone else owning my box... (whimper)

Re:

[account_deleted]

Comment removed based on user account deletion

Firmware NAT

[robi2106]

I am not sure but it sounds like the org has their own server in the building and some sort of broadband going to it. Do they seem to be using a firmware NAT box (Linksys, Netgear). If that is the case ask for the model name & number and look up the manual online and see if there is info about the "allow outside management" and see if this could allow adding an outside computer to the trusted sites list which could mean that the kid added his home IP to the list and then mounted a default share on the

can't think of a title

[Jucius Maximus]

Firstly, congrats on the anniversary!

Secondly, when physical access is a factor, I would strongly discount network intrusion unless the kid is computer inclined to begin with and probably a script kiddie. Even a kiddie probably wouldn't attack a site where he is closely associated with the people who run it, thus making it easier for real consequences to catch up with him. The kid was probably bored in Sunday school and snuck out and stumbled across the web server.

I would check the date on the index.h

Re:can't think of a title

[intermodal]

after my remote scans, they got the kid's father to drag it out of him. he used physical access to do it.