Hack? Outside source placing pages on Root, IIS

We've had an issue where someone places/replaces pages in IIS with their own page and images. Usually saying something along the lines of you've been hacked. How is this done? How can we stop it. Thanx for your help.

er
LVL 3
engineroomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Debsyl99Commented:
Hi
Difficult to pinpoint a specific way in to your IIS, but they are numerous as IIS is known to be inherently insecure - have you run any of these tools? If not they're worth a look,
IIS Lockdown Tool 2.1
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en
A complete walkthrough of the IIS Lockdown Tool
http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm
Microsoft Baseline Security Analyzer V1.2.1
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Deb :))
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RevelationCSCommented:
Do you have a firewall? If not, I would highly recommend you get one (preferably a hardware firewall)...
0
iuhhCommented:
Depending on how outdated your IIS is, this can be done in a few ways:
- directory traversing attack, which means by accessing a well crafted url, the attacker may execute any commands on your server, thus using some editing command (e.g. type) to deface your front page will be merely child's play.
- buffer overflow a given IIS extension (ISAPI) or IIS itself, and then gain the ability to execute arbitary command on your server, or even have your server send the attack a remote command shell if your firewall allows it, and your front page will be history.
- a writable script directory, will allow an attacker to upload a script and have your server execute it.
- poorly written user data checking mechanisms, can lead to malicious code being executed without your knowledge.
- entering via an alternative means, e.g. insecure Network share, ftp, brute-forced or via exploits, and your whole system is history.
To get the first clue, check your IIS access log.  Then check firewall log (you do keep them, don't you?).

Stopping the hackers, is also not difficult.  First of all, keep your IIS up to date and apply latest system patches.  Secondly, run IIS Lockdown to properly check secured permissions.  Thirdly, keep a tight access list on your firewall to permit web and web only access to your server.  Forthly, review your codes on the server, properly check every user input -- Rule of Thumb: Never trust the user.

Once you've done that, you will then have the luxury to put in additional Intrusion Detection Systems, File Integrity Monitoring programs, Access Log Analyser etc.

For a good guide, checkout NIST's Guidelines on Securing Public Web Servers
on http://csrc.nist.gov/publications/nistpubs/
0
engineroomAuthor Commented:
thanx all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.