|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
Someone totally hacked into my website. They found a way to execute winnt/system32/cmd.exe to create a new default.asp, default.htm, index.asp and index.htm. My security wasn't setup very good, so, I set it up better. As soon as I was done, they hacked in again. I called around. I think several people are getting hit with this. They replace the default webpage with some bad words about the USA government. grrr, argh. Did anyone else get hit? How do I protect against this? So, frustrating... Oh, well. Just thought anyone running IIS 5.0 on Win2000 should watch out... |
|
geekgirl101 Member Posts: 18 From: Stockport, England Registered: 03-25-2001 |
Do you have your own DNS? Try setting up a Linux firewall, they're pretty easy to use and are very tough to break through. ------------------ -----BEGIN GEEK CODE BLOCK----- |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
I may have to try something like that. I've search the net for info. It looks like it is a nation wide problem. http://www.taipeitimes.com/news/2001/05/05/story/0000084533 |
Believer Member Posts: 80 From: British Columbia, Canada Registered: 01-30-2001 |
This may be obvious to you, but just in case... You say you improved your security and they got in again. You did reformat your drive and reinstall your OS first, right? If they can execute arbitrary programs on your server like that then they can easily tell it to download and install a trojan that will allow them to get back in later on no matter how tight you make it. If a system is compromised you really only have one choice: total system rebuild, and don't use any backup tapes that may have been made after the initial hack. Also (and this is probably a case of stating the obvious as well), IIS is just about the worst web server you could be using in terms of security. No matter how tight you make your system, a new IIS exploit is released every few days it seems. If you must use NT as your OS, try Apache instead of IIS (it's free and *waaaay* better designed). Better yet, dump NT in favour of Linux or FreeBSD and use Apache on them. That's not to say any OS/software combo is perfect security-wise, but NT/IIS is somewhere down at the bottom of the list. [This message has been edited by Believer (edited May 08, 2001).] |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
I'm in the process of reloading the OS. Unfortunately, I am stuck with Win2000. I am only familiar with VB and ASP. Does Apache support ASP? If it does I think I'll take a look at it. Thanks for the suggestions. I decided to reload the OS; however, from my log file, I am pretty sure I know exactly what they did. I don't think any trojans were dropped. But then again, one can never know for sure... |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
I was just in contact with a friend that runs a large corporate website they were hit bad too. |
|
Believer Member Posts: 80 From: British Columbia, Canada Registered: 01-30-2001 |
Been there myself in the past, I know how it makes you feel to get hacked. I really feel for ya. As for Apache, I don't know about ASP/VB support - I use it on FreeBSD and Linux boxes, never used it under Windows. I just know they have a Windows version. It does support PHP though, which is a really nice alternative (and more portable). The web site is www.apache.org if you want to check it out. As GeekGirl101 suggested you should install a good firewall. If you don't want to bother with building your own (which means learning a little something about Linux/BSD/etc and coming up with a spare CPU and a pair of network cards), I'd recommend going to Costco or someplace and grabbing a $100 D-Link or Linksys firewall. Of course it won't protect you from exploits that can be done via HTTP, but it does prevent a whole lot of other attacks. |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
thanks. i'll check out the site. as far as the firewall, i have d-link and i was only letting in port 80. that's totally how they got in. pretty scary. |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
apache.org site says: Can I use Active Server Pages (ASP) with Apache? I looked briefly at the related projects. At first glance, it looks like I'm out of luck. It looks like I have a choice to make. Either wait for Microsoft to fix IIS or learn a bunch of new stuff (linux, apache, etc.). I'm not sure what I'm gonna do at this point. Something to pray about I guess. |
|
FrosGate Member Posts: 22 From: Grawn, MI, USA Registered: 05-08-2001 |
I dunno if this is going to be able to help you at all, as I'm not exactly sure what exploit was used to compromise your server. I do know that news about the majority of exploits for ISS is quickly published to a number of good news groups and mailing lists. These groups/lists general discuss work-arounds to safeguard your computer and also announce when Microsoft has released patches for certain exploits. I would recommend subscribing to atleast one of these to keep upto date about what's going on in the world. There's a very good chance that whatever computer geek decided to hack your computer was about six days behind another computer geek who figured out how to stop a hacker from doing it. And a better chance that he posted his solution to a news group. I couldn't tell you what the best security group to subscribe to is, but I'd be happy to offer the one I subscribe to as a suggestion. Check out http://www.securityfocus.com Hope this helps and helps avoid future hell. Regards, |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
Thanks, I've been looking for this information. The website you mentioned actually has an article on "Microsoft IIS hole gives System-level access". I'm assuming downloading the patch mentioned in the article will fix my problem. (Or at least until the next hacker finds another hole.) The interesting things is that I am very careful about having the latest patches. I go to the Windows Update page almost daily to check. My machine was up-to-date according to their Product Update screen. I'm assuming, for whatever reason this specific patch was never posted on the auto-update web page. I'll download it and see... |
|
FrosGate Member Posts: 22 From: Grawn, MI, USA Registered: 05-08-2001 |
I've had limited experience in your shoes, only a few months of Net Admin'ing before I moved onto something else, but I can relate some information to you. It's been my experience that the MS Update page rarely keeps you upto date. The majority of patching included in there is for the OS only, not subsystems or services that you have on top of it. For whatever reason, MS often doesn't include it's patches for exploits on it's auto update service. Dunno why. It'd my advice to subscribe to the Focus-MS@SecurityFocus.com mailing list. It's not much of a strain on your mailbox, generally only 20 emails a day, and alot of it is very interesting. Plus, it'll give you access to a little bit more professional forum for posting your questions. If you need any help subscribing to the mailing list, I'd be happy to help. I'm glad to hear that you found the patch that you needed, I hope all goes well. |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
Well, I reinstalled the OS... Installed the patch... The site is up and running again... Now, I am playing the waiting game... to see if some tries to hack it again... Thanks for your help. |
|
geekgirl101 Member Posts: 18 From: Stockport, England Registered: 03-25-2001 |
Yeah, but it doesn't stop there. You'll need to keep track of all the latest updates and patches. It's a tough thing keeping stuff like crackers and viruses out. ------------------ -----BEGIN GEEK CODE BLOCK----- |
|
ChurchProgrammer Member Posts: 19 From: IL Registered: 05-07-2001 |
It didn't take long for someone to try again. I stress the word 'try' because this time they failed. *phew* The patch seems to have helped. |