Advertisement

03.19.2008 at 02:30AM PDT, ID: 23252991
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
5.0
How to identify hacker activity
Zones: Networking Security Vulnerabilities, Miscellaneous Security, Windows Network Security Questions
Hi,

One of our old servers that we use (site) to redirect to another has been hacked.  Basically we found the redirect file replaced and a few others replaced.  The page we get to says "hacked by wanted hacker" then I hate Bush with the S replaced by a Swastika.

What I need help with is

1.  How to determine how they logged into the machine
2.  What steps can we take in the future to prevent this
3.  What can I do to assess the vulnerability of our other servers

Note:  we are a small software dev. shop and don't have much expertese in this area, so steps and explanations please.

Thanks
H
Start your free trial to view this solution
Question Stats
Zone: Security
Question Asked By: gbzhhu
Solution Provided By: arnold
Participating Experts: 2
Solution Grade: A
Views: 0
Translate:
Loading Advertisement...
03.19.2008 at 06:24AM PDT, ID: 21161213
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 06:47AM PDT, ID: 21161456
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 08:29AM PDT, ID: 21162514
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 09:12AM PDT, ID: 21162917
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 10:00AM PDT, ID: 21163401
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 10:18AM PDT, ID: 21163576
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 10:32AM PDT, ID: 21163715
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.19.2008 at 10:33AM PDT, ID: 21163727
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.20.2008 at 01:07AM PDT, ID: 21169023

Rank: Master

jakopriit:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.20.2008 at 03:49AM PDT, ID: 21169820
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 02:58AM PDT, ID: 21219791
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 06:20AM PDT, ID: 21220972
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 06:38AM PDT, ID: 21221158
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 07:01AM PDT, ID: 21221397
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 07:11AM PDT, ID: 21221496
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 08:14AM PDT, ID: 21222268

Rank: Master

jakopriit:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 10:53AM PDT, ID: 21224096
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.28.2008 at 02:56AM PDT, ID: 21229014
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.28.2008 at 05:46AM PDT, ID: 21229817
arnold:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.28.2008 at 06:08AM PDT, ID: 21229983
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.31.2008 at 05:29AM PDT, ID: 21244718

Rank: Master

jakopriit:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.31.2008 at 05:55AM PDT, ID: 21244879
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.08.2008 at 03:49AM PDT, ID: 21523628
gbzhhu:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
03.19.2008 at 06:24AM PDT, ID: 21161213
arnold:
Is the system up to date with MS SP's updates?  Which version of IIS are you running?
 
03.19.2008 at 06:47AM PDT, ID: 21161456
gbzhhu:
I have access to the server but don't have much other information.

It is running Windows 2000 Terminal
I don't know what version of IIS- how can I tell? I can open IIS but I can't find a version #
Again how can I tell if it has latest service packs?
 
03.19.2008 at 08:29AM PDT, ID: 21162514
arnold:
I think windows 2000, runs IIS 5.
Use IE and go to windows update.  Do not install anything unless you change the mode before hand ( in command windows: change user /install, change user /execute to return to the application mode)
change user /query will tell you what mode the system is in.

You could also check the properties of my computer to see whether sp4 was applied.

 
03.19.2008 at 09:12AM PDT, ID: 21162917
gbzhhu:
Thanks Arnold,

Result for change user/ query is

Application EXECUTE mode is enabled.
Install mode does not apply to a Terminal server configured for remote administration.

What are these modes?

We also found that an anonymous user for defined for ftp and may have been how the hacker got in, it is that a possibility?
 
03.19.2008 at 10:00AM PDT, ID: 21163401
arnold:
The mode means that this is not a terminal server.  You are using the remote administration function which means when you login it is equivalent to a login directly on the system.

If you have ftp server configured for anonymous access, it will not count as hacking since this is what the server was configured for.  I think ftp uses ftproot while the web site has wwwroot..

You best disable anonymous FTP or your system might be used to store/distribute stuff.

You can get MBSA and check the system.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

Here are some links to secure IIS5:
http://technet.microsoft.com/en-us/windowsserver/2000/bb735395.aspx
http://www.microsoft.com.nsatc.net/technet/archive/security/chklist/iis50srg.mspx
http://www.windowsnetworking.com/nt/nt2000/atips/atips76.shtml

Checking the web access log might also shed light.  You should notice a sudden growth in the log's file size.
 
03.19.2008 at 10:18AM PDT, ID: 21163576
gbzhhu:
Thanks arnold.  Where is the web access log?
 
03.19.2008 at 10:32AM PDT, ID: 21163715
arnold:
The location of the web access log depends on the configuration, check the properties of the website (default, etc.)  might be in c:\windows or is it c:\winnt  \system32\logfiles\
you might have
w3svc1
..
etc.
Under the properties you will see which site is in which directory.
 
03.19.2008 at 10:33AM PDT, ID: 21163727
gbzhhu:
Excellent thanks.  Let me have a look at it.
 
03.20.2008 at 01:07AM PDT, ID: 21169023

Rank: Master

jakopriit:
George W and ancient rune depicting sun marching over the skies are absolutely irrelevant to your case of getting defaced (actually, bush-hate is so widespread these days that instead of the cracker I would have used some sort of vile porn to bring attention to your poor security).
Do you have a firewall forwarding packets to your IIS machine that sits in the DMZ? If you don't you should consider using one and then you could monitor the firewall IDS logs and plain old connection logs. The reason being that the compromised IIS machine is prone to lose all of its logging ability. Think about it: how reliable would you consider logs that are on the compromised machine?
 
03.20.2008 at 03:49AM PDT, ID: 21169820
gbzhhu:
jakopriit,

You make sense and BTW I too hate monkey Dubya.  Well, I am from Somalia originally and he just bombed a village in my country a couple of weeks ago, the idiot.  Cmon CIA arrest me!!

That was for my anger, back to the issue, yes we have a firewall except that I have no clue what IDS logs are and where they are, the same goes for the connection logs.  is this standard for all firewalls or are the locations for these logs proprietary?

Cheers
H
 
03.27.2008 at 02:58AM PDT, ID: 21219791
gbzhhu:
Checked our server out proper and it was not updated for 4 years!!!!  I have brought it up to date and disabled anonymous account.

All seems good although still not figured out how the hacker entered
 
03.27.2008 at 06:20AM PDT, ID: 21220972
arnold:
Four years is a long time. Did you check the IIS logs?  There might have been several exploits that were fixed in IIS in that time.  Look at the update list and then reduce the number to the updates that only apply to IIS.  You might want to count yourself as lucky that this is the only incident or that this is the only incident that you detected.  You should check all your other systems to make sure they are up-to-date as well as scan them for backdoor/root kits.
 
03.27.2008 at 06:38AM PDT, ID: 21221158
gbzhhu:
It's true.  I think we are very lucky.  Where can I find the IIS logs?  Any advice on what tools yoto use for backdoor/root kits scanning?

Thanks
H
 
03.27.2008 at 07:01AM PDT, ID: 21221397
arnold:
Accepted Solution
 
03.27.2008 at 07:11AM PDT, ID: 21221496
gbzhhu:
Thanks
 
03.27.2008 at 08:14AM PDT, ID: 21222268

Rank: Master

jakopriit:
SysInternals has made a rootkit revealer that I trust most. Those guys are now part of Microsoft (one major reason why Windows 2008 server is so much better than previous ones) and their software is regularly updated and posted on microsoft.com servers.
Assisted Solution
 
03.27.2008 at 10:53AM PDT, ID: 21224096
gbzhhu:
Thanks.  I will check that out too.
 
03.28.2008 at 02:56AM PDT, ID: 21229014
gbzhhu:
>>For Log files, see post 21163715.  

arnold what do you mean by that?
 
03.28.2008 at 05:46AM PDT, ID: 21229817
arnold:
Each post here has an ID.  Your recent post has ID: 21229014.  I in post ID: 21163715 pointed how or where you can look to determine where the IIS logs are.
Copying from before:
"The location of the web access log depends on the configuration, check the properties of the website (default, etc.)  might be in c:\windows or is it c:\winnt  \system32\logfiles\
you might have
w3svc1
..
etc.
Under the properties you will see which site is in which directory."
 
03.28.2008 at 06:08AM PDT, ID: 21229983
gbzhhu:
Of course!  my old brain started to fail.  I am going in circles :-( sorry.  I thought you were talking about another question.  Thanks for your patience arnold.

H
 
03.31.2008 at 05:29AM PDT, ID: 21244718

Rank: Master

jakopriit:
how's it goin'? still skimming those compromised and therefore unreliable logs? caught any rootkits yet?
 
03.31.2008 at 05:55AM PDT, ID: 21244879
gbzhhu:
jakopriit,

Now that the server is not under attack, I was side tracked to do an urgent bug fix, so I didn't really look any logs yet.  our Tech director doesn't seem to bother about the danger.

I will report back here once I have looked at logs (IIS, Firewall)
 
05.08.2008 at 03:49AM PDT, ID: 21523628
gbzhhu:
Guys,

New server built win2k3 and old server discarded.  I would like to close the question and split the points the way I see appropriate.  Thank you for your help, really appreciated.

Cheers
H
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628