|
Home > Archive > IIS Server Security > September 2004 > How to stop hackers from changing the index.asp file
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to stop hackers from changing the index.asp file
|
|
| Jay_Reborn 2004-08-29, 5:51 pm |
| There has been a sudden increase from hackers changing the the root files on
the webserver...
They are exploiting something... but can someone help here???
the message people get is "Fatal Error ownz YOU"
a number of groups on irc.brasnet.org are hitting thousands of websites...
it will soon become a epidemic... unless the security is not addresses...
so i am stating this thread so people can discuss it... can anybody help
here... as I know poieple who have already been hit by this...
| |
| Ken Schaefer 2004-08-29, 5:51 pm |
| Hi,
There are currently no known IIS exploits that are unpatched
a) ensure that your server is up to date with patches. Use Microsoft
Baseline security Analyser (MBSA) to test your server:
http://www.microsoft.com/technet/se...s/mbsahome.mspx
b) ensure that your server does not have any weak passwords (it is possible
that someone guessed a password, or is using an account that has no
password)
c) ensure that your box hasn't already been compromised - perhaps your box
was compromised before, and the attackers have installed a backdoor that
lets them get in whenever they want to. Using tools like netstat.exe (comes
with Windows) and TCPView (www.sysinternals.com) can help you look out for
suspicious listening ports.
d) If your machine is currently having pages changed, then it seems that
attackers already have access to the box. Consider calling Microsoft PSS
(Product Support Services) Security Response team in your local area to have
them determine what you should be doing.
Cheers
Ken
"Jay_Reborn" <Jay_Reborn@discussions.microsoft.com> wrote in message
news:3D127817-8127-40CB-A6CC-33793B31D137@microsoft.com...
> There has been a sudden increase from hackers changing the the root files
> on
> the webserver...
>
> They are exploiting something... but can someone help here???
>
> the message people get is "Fatal Error ownz YOU"
> a number of groups on irc.brasnet.org are hitting thousands of websites...
> it will soon become a epidemic... unless the security is not addresses...
>
> so i am stating this thread so people can discuss it... can anybody help
> here... as I know poieple who have already been hit by this...
>
| |
| Jeff Cochran 2004-09-02, 6:45 pm |
| On Sun, 29 Aug 2004 16:25:01 -0700, "Jay_Reborn"
<Jay_Reborn@discussions.microsoft.com> wrote:
>There has been a sudden increase from hackers changing the the root files on
>the webserver...
There may need to be a sudden increase in the skill level or knowledge
of the webmaster... 
>They are exploiting something... but can someone help here???
Not without a lot more detail.
>the message people get is "Fatal Error ownz YOU"
>a number of groups on irc.brasnet.org are hitting thousands of websites...
>it will soon become a epidemic... unless the security is not addresses...
So address it. It's an administrator issue, not a security issue.
>so i am stating this thread so people can discuss it... can anybody help
>here... as I know poieple who have already been hit by this...
First, get that system unplugged from the internet. Now. Next,
flatten it. Reformat and reinstall from scratch, applying all the
service packs and hardening the box before you reconnect it to the
internet. Then stop using the server for browsing the internet,
answering email, hitting the IRC channels or any other *client*
application.
See the Microsoft site for security checklists. And next time you
have a problem, post details that would help. Like the operating
system you use for example. Event logs, IIS log entries, security
audit logs, firewall logs and so on.
Jeff
| |
| Miha Pihler 2004-09-02, 6:45 pm |
| One thing that you can do is burn a content of webpage to a CD and run it
from there. I would like to see the hacker that changes that index.asp (or
any other) file :-)
Mike
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:4134374f.579407063@msnews.microsoft.com...
> On Sun, 29 Aug 2004 16:25:01 -0700, "Jay_Reborn"
> <Jay_Reborn@discussions.microsoft.com> wrote:
>
on[vbcol=seagreen]
>
> There may need to be a sudden increase in the skill level or knowledge
> of the webmaster...
>
>
> Not without a lot more detail.
>
websites...[vbcol=seagreen]
>
> So address it. It's an administrator issue, not a security issue.
>
>
> First, get that system unplugged from the internet. Now. Next,
> flatten it. Reformat and reinstall from scratch, applying all the
> service packs and hardening the box before you reconnect it to the
> internet. Then stop using the server for browsing the internet,
> answering email, hitting the IRC channels or any other *client*
> application.
>
> See the Microsoft site for security checklists. And next time you
> have a problem, post details that would help. Like the operating
> system you use for example. Event logs, IIS log entries, security
> audit logs, firewall logs and so on.
>
> Jeff
| |
| Jerry Pisk 2004-09-02, 6:45 pm |
| It's not that difficult to change the metabase to point to a different file.
If you gain enough access to break a proper ACL on the files then you have
enough to change the site to point to a different location. Running it off
of a cd will not help you.
Jerry
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:uoHdr4pjEHA.3896@TK2MSFTNGP15.phx.gbl...
> One thing that you can do is burn a content of webpage to a CD and run it
> from there. I would like to see the hacker that changes that index.asp (or
> any other) file :-)
>
> Mike
>
> "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
> news:4134374f.579407063@msnews.microsoft.com...
> on
> websites...
>
>
| |
|
| We just went through a bout with site defacements that has lasted for about 3
months. We kept looking for evidence that a hacker had been in the server...
log files, new & changed file dates/times, etc. It turns out that they were
defacing every website on the server just by running an .asp file that was in
a directory that was already on the server already.
All the hacker need to do was type in the url of the script, in his browser,
and fill in the blanks with his hacker group message and click the submit
button. The .asp script just used the FileSystemObject to list all of the
directories on the web root, and with the click of a button the script
creates all of the files in each directory and loops through your whole
server root, creating a default.htm, default.html, index.htm, index.html.
default.asp, default.php, and so on. Each page has the hackers message on it.
Do a Find--Files on your server and look for files that contain the text
FileSystemObject . When you find the files, open them with Notepad and take
a look at the code. If it's a hacker script, you'll see the create
FileSystemObject line and then you'll some lines of code contianing the words
default.htm, default.html, index.htm, index.html. default.asp, default.php...
you'll see the loop
===================
"Jay_Reborn" wrote:
> There has been a sudden increase from hackers changing the the root files on
> the webserver...
>
> They are exploiting something... but can someone help here???
>
> the message people get is "Fatal Error ownz YOU"
> a number of groups on irc.brasnet.org are hitting thousands of websites...
> it will soon become a epidemic... unless the security is not addresses...
>
> so i am stating this thread so people can discuss it... can anybody help
> here... as I know poieple who have already been hit by this...
>
| |
|
| OK, but the real question is, how did that .asp file that changes the
contents of the other files get there in the first place?
--
Sven
"Steve" <Steve@discussions.microsoft.com> wrote in message
news:A16D389F-3127-4424-9F10-DC6676DE725E@microsoft.com...
> We just went through a bout with site defacements that has lasted for
about 3
> months. We kept looking for evidence that a hacker had been in the
server...
> log files, new & changed file dates/times, etc. It turns out that they
were
> defacing every website on the server just by running an .asp file that was
in
> a directory that was already on the server already.
>
> All the hacker need to do was type in the url of the script, in his
browser,
> and fill in the blanks with his hacker group message and click the submit
> button. The .asp script just used the FileSystemObject to list all of the
> directories on the web root, and with the click of a button the script
> creates all of the files in each directory and loops through your whole
> server root, creating a default.htm, default.html, index.htm, index.html.
> default.asp, default.php, and so on. Each page has the hackers message on
it.
>
> Do a Find--Files on your server and look for files that contain the text
> FileSystemObject . When you find the files, open them with Notepad and
take
> a look at the code. If it's a hacker script, you'll see the create
> FileSystemObject line and then you'll some lines of code contianing the
words
> default.htm, default.html, index.htm, index.html. default.asp,
default.php...[vbcol=seagreen]
> you'll see the loop
>
>
> ===================
> "Jay_Reborn" wrote:
>
files on[vbcol=seagreen]
websites...[vbcol=seagreen]
addresses...[vbcol=seagreen]
| |
| Steve 2004-09-15, 10:34 am |
| We figure that it got there by one of three ways:
1. Before the server had all of the latest patches/updates, we may have had
a major server break-in where the hacker had enough control to upload files
to the server. He hid the script in a directory and could access it through
a browser any time he wanted.
2. One of our hosting customers (or a mad ex-employee) was an experimental
hacker and just ftp'd the script into his directory and ran it when he wanted
to.
3. A hacker or got a hold of a customer's ftp username/password and did the
same as #2.
One thing you could do is modify the script to capture the hacker's IP
address when he comes to the page to type in his message and run the script,
and then email the IP address to the Admin. But if his IP turns out to be in
Brazil or Spain, what are you going to do about it... not much.
"SA" wrote:
> OK, but the real question is, how did that .asp file that changes the
> contents of the other files get there in the first place?
>
> --
>
> Sven
>
>
> "Steve" <Steve@discussions.microsoft.com> wrote in message
> news:A16D389F-3127-4424-9F10-DC6676DE725E@microsoft.com...
> about 3
> server...
> were
> in
> browser,
> it.
> take
> words
> default.php...
> files on
> websites...
> addresses...
>
>
>
|
|
|
|
|