Re: HACKER visits my web site
From: Steven Burn (nobody_at_PVT_it-mate.co.uk)
Date: Wed, 21 Jan 2004 02:56:56 -0000
Not sure bout the rest of it being new to IIS myself but, robots.txt isn't
anything particularly fascinating. It's used by search engine spiders to
allow you to tell them which folders they can and can't go into.
-- Regards Steven Burn Ur I.T. Mate Group www.it-mate.co.uk Keeping it FREE! Disclaimer: I know I'm probably wrong, I just like taking part ;o) Chrsi Grady <firstname.lastname@example.org> wrote in message news:email@example.com... > HACKER! > > Hardware: Pentium 4 2.53 Ghz with 512 RAM > Operating System: Windows XP Pro w/Service Pack 1 > IIS V5.1 is installed and operating > Server Extensions are now turned OFF > > My personal webpage was recently hacked/defaced. I would > like to determine how 1) this happened; and 2) how this > type of intrusion can be prevented in the feature. > > Background: I have had a personal webpage that I have > been hosting myself for 6 months without problems. > However, recently the Hit Counter on my homepage > got "stuck" at "1". I went on the Microsoft Office > FrontPage Client support page > (http://support.microsoft.com/newsgroups/default.aspx? > NewsGroup=microsoft.public.frontpage.client&SLCID=US&ICP=G > SS3&sd=GN&id=fh;en-us;newsgroups) > to ask for help. I received a few suggestions that did > not help. The next morning a woke up and found that not > only was my Hit Counter now working, but also the > background on the webpage has changed from a pale yellow > to a blue shade. I had had an overnight visitor/hacker! > I fixed the color, went back on the support group to > report these issues-and a short time later the page was > back to yellow again. > > Viewing my web log found an unwanted action: > > 2004-01-11 07:57:03 126.96.36.199 80 GET /robots.txt 404 - > > I have never heard of robots.txt. It is not in my webpage > now. Also I have never heard of 188.8.131.52. While I am > inexperienced in IIS, I believe that the hacker somehow > used FrontPage extensions to access my webpage and then > inserted the .txt file (I have the log(s) if anyone needs > them). > > I then turned off Front Page Extensions-the Hit Counter > now does not work (box with red X) - but the intruder has > not returned. > > The MVPs on the FrontPage support page strongly > recommended several times that I do NOT host my own > webpage because of security issues. But I suspect that > members of this group may feel that IIS with FP > Extensions will work just fine--- so.. > > 1) how did this happen; and 2) how can this type of > intrusion be prevented in the feature? > >