CONTACT US | SITEMAP
 
 
Search:
 
Home > Services > Cyber999 > Email > Samples of Incident Report to MyCERT

Dear MyCERT,

On 10th of Mar 2005, we noticed our website was defaced and the mainpage was replaced with another page which belongs to the hacker, which has some funny picture and messages. A snapshot of the defaced page is attached for your analysis.

FYI, our server is running on Windows 2000/IIS 5.0, running web services only. Our server's IP address is 10.57.xx.xx and this is the first time we came across such incident.

We had also checked our server and found anomaly activities in our IIS logs and found some files that do not belong to us.

We would appreciate if you could advise us on detection, containment, recover and prevention. Attached is The IIS log for 10th March 2005, the date our website was defaced.

Thanks

--------IIS LOG FILE-------
10th March 2005

03/10/2005 12:10:09 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/shtml.dll - 200 MSFrontPage/5.0
03/10/2005 12:10:10 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/_vti_aut/author.dll - 200 MSFrontPage/5.0
03/10/2005 12:10:18 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/_vti_aut/author.dll - 200 MSFrontPage/5.0
03/10/2005 12:10:40 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/shtml.dll - 200 MSFrontPage/5.0
03/10/2005 12:10:45 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/_vti_aut/author.dll - 200 MSFrontPage/5.0
03/10/2005 12:11:02 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/_vti_aut/author.dll - 200 MSFrontPage/5.0
03/10/2005 12:14:35 195.xxx.xxx.xxx - 10.21.31.105 80 POST /_vti_bin/_vti_aut/author.dll - 200 MSFrontPage/5.0
-------------------------
   

Disclaimer | Copyright © 2008 - CyberSecurity Malaysia