Re: web site got hacked

From: Alessandro Perilli (peris_at_tiscali.it)
Date: 06/04/03 

Date: Wed, 4 Jun 2003 14:49:59 +0200

On Wed, 04 Jun 2003 04:49:49 -0700, Rajesh Vijayan wrote:

> Hi. my web folders have read permision only. But the hacker changed to
> full control using his script. Now IIS stop frequently. I applied
> microsoft patch js56nen.
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

Rajesh,
2 possible explainations:

1) Crackers (let hackers out please) aim to stop your web server (achieving
so called "Denial of Service") and are using some IIS exploits. This means
they are passing by TCP80 port only and every time you restart (unpatched)
server they hack it again.
Solution: fully patch IIS (apply SP3 and all available fixes).

2) Crackers are remotly controlling your web server and stopping IIS as
needed for eventual riconfigurations. This means they are using some other
distribuited application (so called "backdoor") deployed and executed by an
initial IIS vulnerability: since they stop IIS, TCP80 port is unavailable,
so their connections should stop and other remote management systems are
required.
Solution:
        a) Block any incoming connection through any port but TCP80 and
(eventually) TCP443.
        b) Monitor application in execution on your web server using process
monitoring tools (like Process Explorer by www.sysinternals.com) and try to
recognize unauthorized/unknown programs running.

Good luck 

-- 
Alessandro Perilli
Security Consultant / Trainer
MCT - MCSE 2000 - LINUX+
CCSI - CCSE 2000 - CCSE+ NG
CCNA - CIWP - CIWSA - CCA XP
SECURITY+

Relevant Pages

  • Re: Automate Connection Access
    ... control on a plain SMTP 6.0 service? ... Anyway, IIS exposes the Connection Control list via the Metabase property `IPSecurity.` Unlike many other props, even with direct Metabase editing enabled, though, you can't easily automate the editing of metabase.xml for this property, because it is of the binary data type IPSECLIST rather than plain-text. ... but you don't need to know that, because IIS handily serves up the property via ADSI scripting without you having to do any binary encoding yourself. ... With ADSI and the IIS namespace, you can append to the current array of denied IPs, re-put the options into IIS, and the settings take effect immediately. ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • Re: IIS7 : SetWindowsHookEx fails with Access Is Denied
    ... We've modified the active X control to not put up any modal dialogs. ... I'd rather not have a parent window or create my own parent. ... The ActiveX control uses MFC windows. ... If I construct the out-of-proc com object using a test application not running IIS, this code completes without problem and we are able to construct the ActiveX control and programatically interact with it. ...
    (microsoft.public.inetserver.iis.security)
  • Visual Studio 2008/Vista X64/WAP project issue
    ... the below error is generated on the @Page attribute of the ASCX file. ... the designer.cs file for the control. ... I don't have a web.config in my WAP project because the controls that I am ... I have tried adjusting the settings in IIS. ...
    (microsoft.public.vsnet.ide)
  • Re: IIS 6 - HTTP From ActiveX Control Problem
    ... HTTP and TCP level traffic) and please send it here. ... My gut feeling is that it is probably an issue with the ActiveX control. ... against IIS6, so I know it is possible to POST correctly to IIS6. ... the amont of data an ActiveX control receives back from IIS 6. ...
    (microsoft.public.inetserver.iis)
  • Re: How to "allow IIS to control anonymous user password"?
    ... This is Server 2003, ... Right click on your Virtual Directory or Web site in the IIS MMC ... In the Anonymous access and authentication control box click the ... >> control the anonymous user password" option is. ...
    (microsoft.public.inetserver.iis.security)
Quantcast