Discussion in 'Windows Desktop Systems' started by NetRyder, May 7, 2005.
Haha, let's see how this goes. :up:
its down for me, would that mean someone is already going to win?
No, it just means you have a terrible connection. Sorry.
lol saudi.......looks interesting to bad i dont know the slighest thing about hacking maybe mafia or somone can hook me up with some info on doing so
haha, not me, i stopped even trying to look down that path, two reasons, i suck, and theres always someone better than you, and i think that trojans/backdoor programs are pathetic, used it once thought it was cool, got over it!
Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.
Exactly my thoughts.
Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure? BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it
I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years
The contest is actually being organized by Windows IT Pro, a magazine that isn't affiliated with Microsoft.
Less talk, more action.
/love the idea, but win an x box?
they are going to get millions of dollars worth of r and d...anyone that will be able to crack this is site I don't think wants an x box...though they'll do it for the fame
This is irrelevant to the goal of the project.
Like Netryder has already said, the organizers are not affiliated with Microsoft. Just as there are *nix magazines, there are Windows magazines.
I'm almost inclined to assume that that is conceding defeat. Must people wait until for someone else to publish an exploit before going forward?
Well they restrict Microsoft employee's from participating, so I would assume that they are affiliated. I am not a hacker/cracker whatever, all I was saying is that if they had allowed the remote web administration open, there are some easy break in's, or is fundamental english not required with the microsoft fanboy newsletter?
would this be true for any operating system?
There is a difference between being a fanboy and giving credence to the operating systems without prior anti-MS fanboy membership. It almost seems like you are saying that ... yes Windows Server is an easy target, but only if they had this or this running ... but not when capable admins reasonably secure it.
If the o/s is really insecure, then the server will be hacked. Unless someone steps up to put their money where their mouth is, any argument is pretty pointless
I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested
the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser
even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down
still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so
The problem with this type of compitition is not that everyone has put more time into hacking MS products. The problem would be finding equal admins for each OS and being able to setup each with the same exact specs.
Also in the "real world" it often matters what else is running on the server in addition to a web server. Also how the web server is configured (ie does it run php, asp, cgi, ect.).
There is webmin for *nix servers, which is relatively secure, as in you can't really have a server be remotely administrated without any vulnerabilities. The problem with the remote web administration for IIS is that you can use session spoofing to gain administrative rights because of an exploit left in by Microsoft on purpose, in order to allow an administrator to reboot the machine remotely but still continue the remote administrative session without logging back in. It should also be noted that this server is not running anything, just IIS, not ASP, no database, email, ftp or anything, just IIS; also it is running behind a pretty powerful UNIX firewall ironically enough, as pointed out on /.
As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.
the prize should be a position in some security firm, with a generous salary guaranteed for a year and a bonus like half that salary
that's when you'd find the real hackers crackers come out of the woodwork
I think alot of the ones that actually have skill (ie not script kiddies) do it for the thrill/fun of it, not for $/reward.