• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Virtual Private server Hacked...Please advise.

Hi all,

We are hosting on a Virtual Private server running Windows  server 2003 Enterprise edition service pack 1.

We have been hacked 3 times in the last week…. There are about 60 sites on this server, mostly asp. Each Hacker was different, one Brasilian, Chinese and last was Turkish. Each time they inserted an index.htm page which all read similarly about how great they were and that they owned us. Some sites also had a file called ’index.asp’ which has nearly 3000 lines of script. When loaded the page displays the content of the root folder and several browse buttons which allowed for upload.

I tried to ftp download this file, but my local machine running Norton, simply deleted it without even asking and notified me that it was a Hacktool.

We have now changed all the usernames and password but what should we be doing.

How can I check the vulnerability of the web server so as we can show the hosting company…

Any practical advice appreciated.

Kind Regards

A.
0
aplimedia
Asked:
aplimedia
  • 5
  • 4
  • 3
  • +2
2 Solutions
 
jhanceCommented:
I would say that if this is really a "private" server that your hosting company will say it's your problem, not theirs.  That's the difference between a private and a managed server.  

You need to take responsibility for this server's security yourself or stop running a private server and use a managed server where the experts at the hosting provider will take care of this for you.

BTW, it sounds like you have a misconfigured or unpatched IIS installation that is vulnerable one or more "script kiddie" tools.  I suggest you employ a layered security approach as most sites do:

1) Be sure you have a hardware firewall in place between your server and the internet.  Most hosting providers now offer this.  You can ensure that ONLY permitted traffic and services reach your server.

2) Employ Windows 2003 Server's excellent IPSEC policy/filters to further protect your server from threats that might make it past the hardware firewall or might originate from inside the hosting providers network. (like from another compromised server).

3) Make sure you have DISABLED any and all unnecessary services and ports.  This reduces the possibility of an attacker getting in.

4) Be sure your Windows and all other applications on the server are patched and up to date and you are using STRONG passwords.

5) Get HELP if you don't know what to do here...
0
 
aplimediaAuthor Commented:
Is there any way of checking... my server host is telling one thing I suspect another...

Its not a Private server as such as it shares a hard drive. Its a Virtual Private server running Virtuozzo.

kind Regards

A.
0
 
jhanceCommented:
I'm unclear on your terminology.  A "private" server, actual or virtual is still private.  If the HOST hardware is being attacked that would be your providers fault.  If YOUR server is being attacked, that is your problem...

If your hosting provider's host server was being attacked, you would have no way of knowing about it since it's totally isolated from your virtual server.

What exactly is your server host telling you?

What do you suspect?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
r-kCommented:
Download and run MBSA from http://www.microsoft.com/technet/security/tools/mbsahome.mspx to see what patches you might be missing.
0
 
zgrpCommented:
Hello,

To be sincere, you shouldn't trust anymore in this Server or connected machines in this LAN.


The correct should be format it and reinstall all stuff.

Other useful stuff is make a Forensics Analyze of your system wich requires advanced knowledge and experience, it's hard to figure in the proper way, and much you use you disk much you clean evidences... :(

Anyway, if you are interested in Forensic Analyze I should indicate this two Brazilian companys that I know the job:

Security OpenSource (http://www.security.org.br/) the Intruders division in specific (http://www.intruders.com.br/).

IPDI (http://www.ipdi.com.br).

- Anyway, you can for example, run hijackthis to see if there are anomalys entrys (backdoors, trojans, etc).

http://216.180.233.162/~merijn/files/HijackThis.exe

- Other good stuff, should be install a very good AntiVirus like AVP Kapersky (http://www.kaspersky.com/personalpro) and search for malicious files that crackers could be installed in your machine.

General things you must enforce to prevent hacking:

- Use a strong password policy, which difficult brute-force (guessable passwords). Windows provide resources to help in this field. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

- You should grant that only your valid and necessary users  have write permission to your FTPd, SCPd, ... attackers can use this to upload .asp, .jsp, .php files that execute external commands, make port-scan, connect to database.

A even intersting (to doesn't say essencial) is hardenize your Server Side Scriptting Language (.asp, .php, etc) to retrive not necessary functions that can be used to make evil things like: execute OS commands, connect to hosts not allowed, open files out of the user dir, etc.

- You should download, install and run Microsoft Baseline Security Analyzer (MBSA), which is a software developed by Microsoft that analyze your server and say what open roles it have and point how to fix it. http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

- You must even be consicious that all this can be useless if your applications using Server Side Scripting Languages (.asp, .php, .jsp) are bad programmed and allow SQL Injections and stuff. To prevent this, the appropriate it should be have a team that analyze the code for security problems before put it in production.

Anyway, you can use some Web Firewall Applications to prevent this. A free example is Apache mod_secure module . http://www.modsecurity.org/

- Filter unsused ports and define a firewall policy to your network.

- Also advise you to run a very good Firewall that control file modifications, trying opening ports, create new process, etc.

ps: My tip is that your server got attacked via a Web flaw, in  the Web Server itself, a SQL injection like or a bad password policy that allowed attackers to upload evil files.

Hope this help,

Cheers.
0
 
ahoffmannCommented:
> There are about 60 sites on this server, mostly asp.
do you mean that you run 60 domains/virtual domains on your private virtual host?
or do you mean that your private virtual host is one beside 60 others on the same hardware?
0
 
aplimediaAuthor Commented:
I run 60 sites on my virtual private server.

A.
0
 
ahoffmannCommented:
then you have to check *all* applications (asp, php, perl, whatever) on *all* your 60 sites if they are vulnerable for code execution
I guess that all your sites run in the same web server instance and hence have the same permissions on the file system. Then each application in each site is able to write to the other sites.
0
 
zgrpCommented:
Hello,

Not check only for code execution in server side scriptions (.jsp, .php, .asp, ...), but even check fot SQL Injections, LDAP Injections, ... that can cause the same impact, compromisse users/pass, and sometimes execute operation systems (in case of SQL Injections interacting with Database).

Make this checks manually are time consuming and require some knowlegde, I enforce my suggestion of a Web Application Firewall as I spoken in my last post.

ps: Monitor logs is very useful too.

Hope this help,

Cheers
0
 
ahoffmannCommented:
good point zgrp, I rearly see people being aware to do input data validation on *all* sources which include the backend and not only what the user provides with the request.
I didn't mention these check in my post 'cause I guess that checking *all* applications just for vulnerabilities caused by input from the browser is a hard job.

BTW, WAF (Web Application Firewall) do not check what comes from the backend, usually ...

> ps: Monitor logs is very useful too.
but be prepared for second order code injection

hmm, you see that web application security has a lot of dragons to beat.
0
 
aplimediaAuthor Commented:
>*all* sources which include the backend and not only what the user provides with the request.

Can you provide an example... please


a.
0
 
ahoffmannCommented:
assuming you have a search script which accepts a text parmeter to be search from the browser, then passes that parameter in a SQL query to the backend and displays the result, then you have to validate the data coming from the backend before you send to the browser.
In shourt you have 2 kind of data validation here:
  1. validate the parameter from the browser against SQL injection *before* sending to the databde
  2. validate the data returned from the backend against XSS (and some more) before sending to the browser

This is a simple example, depending on your applications it can be much more complicated.
0
 
zgrpCommented:
Hello Ahoffmann,


>BTW, WAF (Web Application Firewall) do not check what comes from the backend, >usually ...

You can create in mod_security some rules to be based in backend replys, like for example a "ORA-01756: quoted string not properly terminated". ;)

Hope this help,

Cheers,
0
 
ahoffmannCommented:
zgrp, what you do in mod_security with the ouput filter affects only what is finally send as response to the client
It does not filter/check/validate any data coming from the backend to the application (CGI or whatever).
0
 
zgrpCommented:
Ah ok, got what you spoken, you are speaking about monitor the response from database to webserver, and not the forward from web-server (web app) error to Web Client...

Sorry for bad understand,

Cheers
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now