This is a multi-part message in MIME format.
------=_NextPart_000_0043_01C45CFF.AC8AA600
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
hi
someone was hacked my site
i have 2 servers :
web--> IIS 5 / w2k adv Srv IIS lockdown
sql--> SQL2k / w2k adv Srv
i found the web srv doing "beeps"
soon i found it serves html pages
but don't serves asp with an error like
"Error in the server application"
sql srv lost sa password
and don't recognize the local admin
then i can't access to sql applications
except of that,
servers appears to work normal
the web srv log is saying
that attacked the iwam_
and many "login misses" under DCOMSCM
and then, "login hits"
i go now to restore
my backup and images
but
what can i do to prevent the next attack ?
how can i protect better the site ?
thanks
--=20
atte,
Hern=E1n Castelo
SGA - UTN - FRBA
------=_NextPart_000_0043_01C45CFF.AC8AA600
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ebf3fc>
<DIV>
<DIV><FONT face=3DArial size=3D2>hi</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>someone was hacked my site</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>i have 2 servers :</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>web--> IIS 5 / w2k adv Srv IIS=20
lockdown</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>sql--> SQL2k / w2k adv =
Srv</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>i found the web srv </FONT><FONT =
face=3DArial=20
size=3D2>doing "beeps"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>soon i found it serves html =
pages</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>but don't serves asp with an error=20
like</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>"Error in the server =
application"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>sql srv lost sa password</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>and don't recognize the local =
admin</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>then i can't access to sql=20
applications</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>except of that,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>servers appears to work =
normal</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>the web srv log is saying</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>that attacked the iwam_</FONT></DIV>
<DIV>and many "login misses" under DCOMSCM</DIV>
<DIV>and then, "login hits"</DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>i go now to restore</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>my backup and images</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>but</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>what can i do to prevent the next =
attack=20
?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>how can i protect better the site =
?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>thanks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> </DIV>
<DIV><BR></DIV></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR>-- <BR>atte,<BR>Hern=E1n =
Castelo<BR>SGA - UTN -=20
FRBA<BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_0043_01C45CFF.AC8AA600--