|
Ok man. I broke into your site on the 3rd of this month. I emailed you twice. I sent you details of the exploit. And I've never received a reply and your site is still open to attack. Do you care? Obviously not. So. I got in through your SQL server - it has no password on the 'sa' account which lets me do anything on your system. There are many other holes you're vulnerable to. I have taken the liberty of doing the following:
- I've moved the MSADC files out from "c:\program files\common files\system\msadc" to "c:\temp\msadc" - I've removed the sample files from your webroot - I've removed the samples scripts from your webroot - I've removed the administration sample scripts from your admin directory This should keep the script kiddies away. Please note that you should take time to secure your box for the future, including setting the proper registry keys to disallow RDS attacks etc. Also, you should unbind NETBIOS from your internet adapter... sheeeesh, where did you learn computing? Basically, your machine is a hackers playground and you should persuade your boss to buy you some training and books on the subject of security. Read the Micro$oft recommended security practices and implement them. Subscribe to Bugtraq. Remember what Bruce Schneier said: "Security is a process, not a product". If you feel you still don't want to speak to me or secure your server further, suit yourself. Otherwise, my email address is below. -- Herbless@hushmail.com |