Forgot your password?
typodupeerror

Hack IIS6 Contest 545

Posted by CmdrTaco
from the get-your-crackz0r-on dept.
ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "
This discussion has been archived. No new comments can be posted.

Hack IIS6 Contest

Comments Filter:
  • and done. (Score:5, Funny)

    by michaelhood (667393) on Thursday May 05, 2005 @03:07PM (#12444278)
    i win!
    • by Mz6 (741941) * on Thursday May 05, 2005 @03:08PM (#12444293) Journal
      ...done here too. Just changed it back to the original. Where's my Xbox?
      • Re:and done. (Score:3, Insightful)

        Go mess with a commerce site, screw the X-Box. Unless you're a saint, what you REALLY get out of this contest is a, "Give M$ one where the sun don't shine" card and not a free X-box. Anyone interested enough in computers to do this and capable of doing it is not going to enjoy the X-Box as much as the knowledge that they stabbed Microsoft in the toe.
    • by DaedalusLogic (449896) on Friday May 06, 2005 @12:56AM (#12448747)
      And who the hell is going to care... but... a little quick research on the host reveals the following:

      Obviously it's behind a Firewall at a pretty decent looking data center. It looks like a minimum security prison on the outside:

      http://www.consonus.com/ [consonus.com]

      The thing that pisses me off... (IF) nmap fingerprinted the OS right. Is that this IIS6 box is behind a Nokia IPSO.

      http://www.nokia.com/cda1/0,1080,43324,00.html [nokia.com]

      If you look on the right hand side of the page you will notice that Nokia credits the UNIX roots of IPSO.

      So this Windows zealot is hiding his IIS6 box behind a big, bad ass, UNIX gatekeeper. For contest to prove that Microsoft rules... Shouldn't ISA Server be protecting the brave little web server?

      http://www.microsoft.com/isaserver/default.mspx [microsoft.com]

      It really pisses me off that he advertises the ability to put together an impenetrable IIS6 environment and that a key solution is a UNIX firewall.

      If Microsoft ever makes a statement about this contest in their marketing and it was in fact behind an IPSO they should feel silly, not proud.

  • by CrazyJim1 (809850) on Thursday May 05, 2005 @03:08PM (#12444290) Journal
    If so, I think Taco deserves the Xbox.
  • But after being posted on Slashdot, in about fifteen minutes, we'll have done on the next best thing!
  • And who is to say (Score:4, Interesting)

    by Gentoo Fan (643403) on Thursday May 05, 2005 @03:09PM (#12444308) Homepage
    that if someone did hack it, the admins will reset it quickly and block the particular method?
  • Please please PLEASE replace the home page with our favorite ring-bearing orifice stretcher!
  • by drmarcj (807884) on Thursday May 05, 2005 @03:10PM (#12444319)
    You get sued!
  • How long (Score:4, Insightful)

    by ceswiedler (165311) * <chris@swiedler.org> on Thursday May 05, 2005 @03:11PM (#12444322)
    If they leave it up permanently, I'm sure it will be hacked once the next exploit is available. It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently, as new exploits are found.

    If this is a test of IIS's security (for example as opposed to Apache) they should make it an ongoing test, and measure it not by whether it was hacked within a certain short time period, but how many times it is hacked over a long period of time.
    • Re:How long (Score:5, Insightful)

      by PhoenixK7 (244984) on Thursday May 05, 2005 @03:20PM (#12444464)
      Yeah, frankly I don't really see the value in this. If someone doesn't hack it, it means nothing, this isn't a real-world test where the machine is only up for what, a week? This proves zero besides the machine was constantly being patched up and no new exploits were found that weren't patched during that time. What would be impressive would be if they left it up UNTIL someone cracked it. If that machine could stay up for a few months, say, maybe a year before being hacked, that would be much more useful as a statement about the security of the system.

      This is really just a publicity game. If makes MS look good if it makes it through the week, but it doesn't really prove that their software is secure.

      On the other hand, if they DO get hacked, that would look pretty bad. But.. who'se to say they haven't totally locked that thing down to the point where it's both not really representative of a "normal" server.

      *shrug*
      • Re:How long (Score:3, Insightful)

        by DarkOx (621550)
        That and the site is not exactly the most complex thing in the world. Sure there is some basic ASP and its far beyond some simple static html page but its exactly are large ECOM site or anything like that. I hope the admins and windowsITpro can configure an IIS box to be pretty solid doing somehting so basic. Doing something simple like this does not say much about the basic security characteristics of the platform. People do this with other platforms all the time too and then draw wild concludtions lik
        • Re:How long (Score:3, Insightful)

          by Cromac (610264)
          I disagree. The goal is to test if IIS is secure, not if the web application is secure. A large complex ecommerce site is more likely to have a bug in it's code that can be exploited than a simple basic site that does some minor database queries. The simple site would, in theory, leave fewer security holes to exploit leaving only IIS vulnerabilities.
    • Re:How long (Score:2, Insightful)

      by weopenlatest (748393)
      It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently, as new exploits are found.
      Just because exploits aren't found, doesn't mean they're not there. You can't say a system is secure just because it's not vulnerable to known bugs. If a bug is posted tomorrow that makes all IIS servers vulnerable, it doesn't just mean that those servers are vulnerable tomorrow. They're also vulnerable today.
    • Re:How long (Score:5, Insightful)

      by Momoru (837801) on Thursday May 05, 2005 @03:32PM (#12444599) Homepage Journal
      >>It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently

      What makes IIS inherently more difficult to secure then Apache or any other web server? Besides the generic "ITS TEH MICRO$OFT!!!!"
      • Several things (Score:3, Informative)

        by Safety Cap (253500)

        What makes IIS inherently more difficult to secure then Apache or any other web server?

        It comes out of the box will all manner of unnecessary things turned on.

        It uses OS-level functions and system calls ("tightly integrated"), so when you hack IIS, you pwn the box, too.

        Apache requires you to read the documentation and crack the httpd.conf with a text editor in order to change stuff. This ensures that you are at least one evolutionary level above blind, one-armed chimp, which is the only required leve

        • Re:Several things (Score:4, Insightful)

          by Sylver Dragon (445237) on Thursday May 05, 2005 @05:22PM (#12445828) Journal
          Apache requires you to read the documentation and crack the httpd.conf with a text editor in order to change stuff. This ensures that you are at least one evolutionary level above blind, one-armed chimp, which is the only required level to use the mouse and click-click-click on the Internets MMC configurator for IIS. At a minimum, Apache web admins are *slightly* more talented than IIS admins

          Um, bullshit.
          I've been trying to teach myself more about Linux and Apache. And, honestly, I haven't a clue about half the stuff in the httpd.conf file. I'm getting there, but that still hasn't stopped me from getting a web server functioning, nor has it stopped me from getting apache-ssl up and running, with squirrel mail. Is my server anywhere near secure? I highly doubt it. Truth is, the Win2K server with IIS5 I had running beforehand was probably more secure, simply because I had a clue about what I was doing in those clicky "Internets MMC configurator for IIS".
          As the old axiom goes, "it's a poor carpenter who blames his tools". Yes, the Linux/Apache setup is more secure by default, but when it's setup by someone with little to no clue what they are doing, it's very likely to end up unsecure. Once I am a little more knowledgeable about running and securing Linux/Apache, I'll probably reformat the box, start over, and do a better job about it. Until then, I just assume the box is going to be hacked. And, no, I don't think I am above the evolutionary level of blind one-armed chimp when it comes to running Apache. Hoestly, comming in blind the online manuals sucked.

          • Re:Several things (Score:3, Informative)

            by rainman_bc (735332)
            lol I did that! I set up a reverse proxy for fun, and I left the proxy open to the whole www...

            I saw strange requests in my logs all of a sudden to doubleclick. People were making money off my open proxy... haha woops!
  • by dtfinch (661405) * on Thursday May 05, 2005 @03:11PM (#12444324) Journal
    Contest open to anyone at least 18 years old as of date of entry.

    There goes 3/4 of the most qualified contestants.
  • Cause if it does, we all just won XBoxes!
  • by grazzy (56382) <grazzy@@@quake...swe...net> on Thursday May 05, 2005 @03:11PM (#12444326) Homepage Journal
    I sure as hell wouldn't give that knowledge away for a Xbox...
  • by NavySpy (39494) on Thursday May 05, 2005 @03:12PM (#12444344) Homepage
    I wonder when the "Hack Apache" contest will be held.
  • Description of how hack was accomplished

    Thats giving away trade secrets that are worth far more than a lousy Xbox....
  • pfff... (Score:2, Funny)

    by nubbie (454788)
    rather see them hack http://microsoft.com [microsoft.com].
  • by NecroPuppy (222648) on Thursday May 05, 2005 @03:13PM (#12444361) Homepage
    Is that the winners get X-Boxes....
  • LOL! (Score:4, Funny)

    by vectorian798 (792613) on Thursday May 05, 2005 @03:14PM (#12444363)
    I like how under the list of 'What Is Not Allowed' it lists:
    5. Physical Attacks

    Because, you know, us axe-murderer geek slashdotters were going to charge into the building where the server is and hack away using our cleaver 2d6.
  • 18+ (Score:2, Insightful)

    by Anonymous Coward
    Rules say you have to 18 or older. That pretty much garentees they won't be hacked. :)
  • by bigtallmofo (695287) on Thursday May 05, 2005 @03:15PM (#12444384)
    "Come to our site, give us free publicity, do something that likely you are the only one in the world that knows how to do and then teach us how to do it. If you do, there's a console game in it for you! Wouldn't you rather have a console game than the tens of thousands of dollars you could sell this information for?"

  • Just a guess that a brand-new IIS exploit is probably worth more than a $150 game system.
  • I tried... (Score:5, Funny)

    by zulux (112259) on Thursday May 05, 2005 @03:16PM (#12444396) Homepage Journal


    I tried to hack into it and this stupid paperclip keeps getting in the way.." I looks like you're trying to hack a Website..."

  • Lab rats (Score:3, Insightful)

    by clump (60191) on Thursday May 05, 2005 @03:17PM (#12444413)
    Let Microsoft do their own research. We don't need to spend our time testing for them. Focus instead on making Apache better.
  • Web server security is already at acceptable levels for both Apache and IIS, so long as new patches are applied when they become available.

    The problem with insecure web sites is that the apps themselves are the biggest security threats. It's been three years since I've heard of anybody I know actually becoming a victim of a web server security hole, but in the last year I can think of seven separate occasions where a web app has allowed somebody to deface and/or take control of a web site.

    In the end it do
  • these sorts of ideas are fine and all when they offer high rewards.. but an xBox??

    To an honest and moral person, perhaps it is worth an xBox.. to almost anyone else, that is way to valuable of a skill to lose over an xBox (this presumes they'll close the hole/exploit you use).

    Even if you are honest, an xBox is hardly worth the time/effort you'll spend doing this.

  • by drsmack1 (698392) *
    If a zombied computer wins; who gets the xBox? The person that owns the computer? The zombie "author"?

    This needs to be resolved!
    • I don't know of any zombie computers that can hack into things without someone controlling it... in which case just use your own computer. Maybe you're confusing hacking with DDOSing, which is a totally different thing?

      -Jesse
  • Finally an application for the Slashdot effect: a slashdotted server can't serve an unauthorized, confidential document!
  • PS2 (Score:5, Funny)

    by Sebby (238625) on Thursday May 05, 2005 @03:19PM (#12444450)

    make it a PS2 instead and then it will be worth my time!

  • Maybe I could go to Colorado and buy Chad Phelps a few beers to let me win .... Registrant: Penton IT Media Group 221 E. 29th Street Loveland, CO 80538 US Domain name: HACKIIS6.COM Technical Contact: Phelps, Chad 221 E. 29th Street Loveland, CO 80538 US +01.9702032960 Fax: =01.9706672321
  • I submitted this on APRIL 13TH. I wonder what it takes to get a story accepted.... 'neway.... just feelin' grumpy.
  • Must not have much faith in IIS...
  • by jeblucas (560748) <jeblucasNO@SPAMgmail.com> on Thursday May 05, 2005 @03:22PM (#12444481) Homepage Journal
    IANAL, but isn't this sort of thing illegal? I was trying to compare it to a homeowner saying, "Come and take my TV if you think you can--I'll give you a cherry popsicle." But chances are, you have a pretty good idea if the homeowner actually owns that home or not--he's probably living there. He's got a deed, etc. I don't see how I can determine that Roger Grimes actually owns the server running HackIIS Contest or not. Even if he does, does that make it OK for me to break in and alter his database? After all,
    A successful hack includes:
    1. Successful web site defacement (subject to the limitations as indicated below)
    2. Modification of web server or database computers
    3. Proven knowledge of content located in "hidden" Microsoft Word document.
    4. Proven knowledge of other content found on the web server or database computer.

    I think they really need to have a lawyer right the release for someone to enter this contest. It just doesn't seem right. Or am I a victim of propaganda?

  • The site is down so here is the original e-mail he sent out.

    Welcome to the HackIIS6.com Contest!

    Starting May 2nd and going until June 8th, the server located at
    http://www.hackiis6.com/ [hackiis6.com] will welcome hackers to attack it. If you can
    deface the web site or capture the "hidden" document, you win an X-box!
    Read contest rules for what does and doesn't constitute a successful
    hack. We've tried to be as realistic as possible in what constitutes a
    successful hack, and in mimicking a basic HTML and ASP.NET web site.

    F
  • A whole contest whose purpose seems to be to publicize the security of IIS6, with a $150 prize behind it. From MS, no less.

    Before the site went down, i noticed that it said "We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site.". Anyone can secure a box running next to no services.
  • "The Fallacy of Cracking Contests" by Bruce Schneier: The Fallacy of Cracking Contests [schneier.com]

    In short, if it's broken, that's valuable. If it isn't broken in the time allotted, on the other hand, that doesn't mean it's secure.

  • by MTO_B. (814477) on Thursday May 05, 2005 @03:33PM (#12444603) Homepage
    Haha! I already defaced it last night.

    I put up on their page a fake hack contest...
    I never really thought it would last soo long and even less being on slashdot. :-)

    lol
  • by why-is-it (318134) on Thursday May 05, 2005 @03:37PM (#12444641) Homepage Journal

    From TFA:

    Coming in our July issue, we'll publish an article "How to Set Up a Hackproof IIS" featuring Roger Grimes' recap of the contest, and sharing the secrets of how he created an impenetrable IIS environment.

    Sounds like the results have already been decided.

    Of course the easiest way to make any system "impenetrable" is to power it off...

  • by Safety Cap (253500) on Thursday May 05, 2005 @03:53PM (#12444813) Homepage Journal

    Someone should've hit the progenitors of this little "contest" upside the head with the Garfinkle book [oreilly.com] before they decided to go ahead with it.

    If said book had impacted the morans' cranium, they would've realized that such contests are useless for determining a system's hardness. Or they'd be dead. End results are about the same. So, let us review the possible results:

    1. The box is hacked. Oh man, it is pwned! Guess the system wasn't so strong after all.
    2. (more likely) The system isn't hacked.

    Does the latter scenario PROOF that the system is hacker-proof? Is it? Nope, sorry, it isn't.

    To prove that a system is unhackable, I have to demonstrate that in every case the security will not fail. If you have a random testing plan (i.e., a "contest"), then you'll never be sure you touched all the scenarios or even the most likely ones.

    To prove that a system is hackable, I just have to find one situation where it can be hacked. Finito; sayonara; have a nice day.

    The latter is relatively easy to do. The former is very hard (and sometimes impossible) to accomplish. It is much easier to hold a "contest," declare yourself the winner ("UNBREAKABLE, BABY! w00t!") and then go sell a bunch of units to the PHBs [dilbert.com].

    • RTFA [hackiis6.com]:

      Why a Hacking Contest?

      To have fun! We know there will be critics who say sponsoring a hacking contest proves nothing. If the IIS server remains unbroken, it still doesn't mean that IIS is really "secure." True, and if I weren't the contest's team leader, I'd probably be the first one to say so. Hacking contests rarely prove something is secure, although it only takes a single successful hack to prove something is not secure.

      So why do it? There are very few places on the Internet where hackers, go

How much net work could a network work, if a network could net work?

Working...