Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Hack? Outside source placing pages on Root, IIS

Posted on 2004-11-15
4
Medium Priority
?
363 Views
Last Modified: 2013-12-04
We've had an issue where someone places/replaces pages in IIS with their own page and images. Usually saying something along the lines of you've been hacked. How is this done? How can we stop it. Thanx for your help.

er
0
Comment
Question by:engineroom
4 Comments
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 2000 total points
ID: 12587649
Hi
Difficult to pinpoint a specific way in to your IIS, but they are numerous as IIS is known to be inherently insecure - have you run any of these tools? If not they're worth a look,
IIS Lockdown Tool 2.1
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en
A complete walkthrough of the IIS Lockdown Tool
http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm
Microsoft Baseline Security Analyzer V1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Deb :))
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12588178
Do you have a firewall? If not, I would highly recommend you get one (preferably a hardware firewall)...
0
 
LVL 2

Expert Comment

by:iuhh
ID: 12589971
Depending on how outdated your IIS is, this can be done in a few ways:
- directory traversing attack, which means by accessing a well crafted url, the attacker may execute any commands on your server, thus using some editing command (e.g. type) to deface your front page will be merely child's play.
- buffer overflow a given IIS extension (ISAPI) or IIS itself, and then gain the ability to execute arbitary command on your server, or even have your server send the attack a remote command shell if your firewall allows it, and your front page will be history.
- a writable script directory, will allow an attacker to upload a script and have your server execute it.
- poorly written user data checking mechanisms, can lead to malicious code being executed without your knowledge.
- entering via an alternative means, e.g. insecure Network share, ftp, brute-forced or via exploits, and your whole system is history.
To get the first clue, check your IIS access log.  Then check firewall log (you do keep them, don't you?).

Stopping the hackers, is also not difficult.  First of all, keep your IIS up to date and apply latest system patches.  Secondly, run IIS Lockdown to properly check secured permissions.  Thirdly, keep a tight access list on your firewall to permit web and web only access to your server.  Forthly, review your codes on the server, properly check every user input -- Rule of Thumb: Never trust the user.

Once you've done that, you will then have the luxury to put in additional Intrusion Detection Systems, File Integrity Monitoring programs, Access Log Analyser etc.

For a good guide, checkout NIST's Guidelines on Securing Public Web Servers
on http://csrc.nist.gov/publications/nistpubs/
0
 
LVL 3

Author Comment

by:engineroom
ID: 12650646
thanx all.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question