Hack? Outside source placing pages on Root, IIS

Posted on 2004-11-15
Last Modified: 2013-12-04
We've had an issue where someone places/replaces pages in IIS with their own page and images. Usually saying something along the lines of you've been hacked. How is this done? How can we stop it. Thanx for your help.

Question by:engineroom
    LVL 20

    Accepted Solution

    Difficult to pinpoint a specific way in to your IIS, but they are numerous as IIS is known to be inherently insecure - have you run any of these tools? If not they're worth a look,
    IIS Lockdown Tool 2.1
    A complete walkthrough of the IIS Lockdown Tool
    Microsoft Baseline Security Analyzer V1.2.1

    Deb :))
    LVL 8

    Expert Comment

    Do you have a firewall? If not, I would highly recommend you get one (preferably a hardware firewall)...
    LVL 2

    Expert Comment

    Depending on how outdated your IIS is, this can be done in a few ways:
    - directory traversing attack, which means by accessing a well crafted url, the attacker may execute any commands on your server, thus using some editing command (e.g. type) to deface your front page will be merely child's play.
    - buffer overflow a given IIS extension (ISAPI) or IIS itself, and then gain the ability to execute arbitary command on your server, or even have your server send the attack a remote command shell if your firewall allows it, and your front page will be history.
    - a writable script directory, will allow an attacker to upload a script and have your server execute it.
    - poorly written user data checking mechanisms, can lead to malicious code being executed without your knowledge.
    - entering via an alternative means, e.g. insecure Network share, ftp, brute-forced or via exploits, and your whole system is history.
    To get the first clue, check your IIS access log.  Then check firewall log (you do keep them, don't you?).

    Stopping the hackers, is also not difficult.  First of all, keep your IIS up to date and apply latest system patches.  Secondly, run IIS Lockdown to properly check secured permissions.  Thirdly, keep a tight access list on your firewall to permit web and web only access to your server.  Forthly, review your codes on the server, properly check every user input -- Rule of Thumb: Never trust the user.

    Once you've done that, you will then have the luxury to put in additional Intrusion Detection Systems, File Integrity Monitoring programs, Access Log Analyser etc.

    For a good guide, checkout NIST's Guidelines on Securing Public Web Servers
    LVL 3

    Author Comment

    thanx all.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now