In this last case study, the client left his web server configured to display directories. The attacker got a listing of the directory in the CGI directory structure and started looking for easy targets. The most attractive target was the "private" directory which contained many tools that were run from the web interface. At this point the attacker used a file to download the company's commissions database.
Solution -- Turning off directory listings is a big first step to preventing this, but sometimes even the robots.txt file is just as bad. Many websites have a file that tells the search engines which directories not to index. Sometimes these directories have names like, "Test", or "private". No better place to go looking if you're attacking. The second solution was to put access-control restrictions on the internal tools directories. Upon further investigation we found that many of the programmers had left test files lying about in the CGI directory that would give away the farm. As for recovering the data that was stolen -- well, the machine where the attacker came from was compromised as well so we never found out who it was.
For information and assistance on these or any other computer related issues, you can contact us by: E-Mail, or by calling 775/741-8278.