We run an old Windows NT Machine, fully patched running IIS4.0.
Today we were hit by "linuXploit_crew", and they took down our websites for a minute or two. (luckily we were quick to notice a change on the websites and fix it within minutes of the attack).
However -- After fixing the website, I'm left with trying to figure out HOW this happened.
Looking in our FTP Logs, there's no changes in our default.asp files, and I see nothing out of the ordinary for Web Logs. Any ideas on how to pinpoint how they got in? We've only got 3 ports open, FTP, HTTP, and HTTPS (21,80,443) on a Cisco Firewall.
NT/IIS4 no longer get security updates. Any new exploits will remain unpatched. Time to upgrade.
Once you've been "owned" enough to change your site, you can't necessarily trust your logs anymore- they could have been "cleaned" by the attacker.