Virtual Private server Hacked...Please advise.
Hi all,
We are hosting on a Virtual Private server running Windows server 2003 Enterprise edition service pack 1.
We have been hacked 3 times in the last week…. There are about 60 sites on this server, mostly asp. Each Hacker was different, one Brasilian, Chinese and last was Turkish. Each time they inserted an index.htm page which all read similarly about how great they were and that they owned us. Some sites also had a file called ’index.asp’ which has nearly 3000 lines of script. When loaded the page displays the content of the root folder and several browse buttons which allowed for upload.
I tried to ftp download this file, but my local machine running Norton, simply deleted it without even asking and notified me that it was a Hacktool.
We have now changed all the usernames and password but what should we be doing.
How can I check the vulnerability of the web server so as we can show the hosting company…
Any practical advice appreciated.
Kind Regards
A.
We are hosting on a Virtual Private server running Windows server 2003 Enterprise edition service pack 1.
We have been hacked 3 times in the last week…. There are about 60 sites on this server, mostly asp. Each Hacker was different, one Brasilian, Chinese and last was Turkish. Each time they inserted an index.htm page which all read similarly about how great they were and that they owned us. Some sites also had a file called ’index.asp’ which has nearly 3000 lines of script. When loaded the page displays the content of the root folder and several browse buttons which allowed for upload.
I tried to ftp download this file, but my local machine running Norton, simply deleted it without even asking and notified me that it was a Hacktool.
We have now changed all the usernames and password but what should we be doing.
How can I check the vulnerability of the web server so as we can show the hosting company…
Any practical advice appreciated.
Kind Regards
A.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm unclear on your terminology. A "private" server, actual or virtual is still private. If the HOST hardware is being attacked that would be your providers fault. If YOUR server is being attacked, that is your problem...
If your hosting provider's host server was being attacked, you would have no way of knowing about it since it's totally isolated from your virtual server.
What exactly is your server host telling you?
What do you suspect?
If your hosting provider's host server was being attacked, you would have no way of knowing about it since it's totally isolated from your virtual server.
What exactly is your server host telling you?
What do you suspect?
Download and run MBSA from http://www.microsoft.com/technet/security/tools/mbsahome.mspx to see what patches you might be missing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> There are about 60 sites on this server, mostly asp.
do you mean that you run 60 domains/virtual domains on your private virtual host?
or do you mean that your private virtual host is one beside 60 others on the same hardware?
do you mean that you run 60 domains/virtual domains on your private virtual host?
or do you mean that your private virtual host is one beside 60 others on the same hardware?
ASKER
I run 60 sites on my virtual private server.
A.
A.
then you have to check *all* applications (asp, php, perl, whatever) on *all* your 60 sites if they are vulnerable for code execution
I guess that all your sites run in the same web server instance and hence have the same permissions on the file system. Then each application in each site is able to write to the other sites.
I guess that all your sites run in the same web server instance and hence have the same permissions on the file system. Then each application in each site is able to write to the other sites.
Hello,
Not check only for code execution in server side scriptions (.jsp, .php, .asp, ...), but even check fot SQL Injections, LDAP Injections, ... that can cause the same impact, compromisse users/pass, and sometimes execute operation systems (in case of SQL Injections interacting with Database).
Make this checks manually are time consuming and require some knowlegde, I enforce my suggestion of a Web Application Firewall as I spoken in my last post.
ps: Monitor logs is very useful too.
Hope this help,
Cheers
Not check only for code execution in server side scriptions (.jsp, .php, .asp, ...), but even check fot SQL Injections, LDAP Injections, ... that can cause the same impact, compromisse users/pass, and sometimes execute operation systems (in case of SQL Injections interacting with Database).
Make this checks manually are time consuming and require some knowlegde, I enforce my suggestion of a Web Application Firewall as I spoken in my last post.
ps: Monitor logs is very useful too.
Hope this help,
Cheers
good point zgrp, I rearly see people being aware to do input data validation on *all* sources which include the backend and not only what the user provides with the request.
I didn't mention these check in my post 'cause I guess that checking *all* applications just for vulnerabilities caused by input from the browser is a hard job.
BTW, WAF (Web Application Firewall) do not check what comes from the backend, usually ...
> ps: Monitor logs is very useful too.
but be prepared for second order code injection
hmm, you see that web application security has a lot of dragons to beat.
I didn't mention these check in my post 'cause I guess that checking *all* applications just for vulnerabilities caused by input from the browser is a hard job.
BTW, WAF (Web Application Firewall) do not check what comes from the backend, usually ...
> ps: Monitor logs is very useful too.
but be prepared for second order code injection
hmm, you see that web application security has a lot of dragons to beat.
ASKER
>*all* sources which include the backend and not only what the user provides with the request.
Can you provide an example... please
a.
Can you provide an example... please
a.
assuming you have a search script which accepts a text parmeter to be search from the browser, then passes that parameter in a SQL query to the backend and displays the result, then you have to validate the data coming from the backend before you send to the browser.
In shourt you have 2 kind of data validation here:
1. validate the parameter from the browser against SQL injection *before* sending to the databde
2. validate the data returned from the backend against XSS (and some more) before sending to the browser
This is a simple example, depending on your applications it can be much more complicated.
In shourt you have 2 kind of data validation here:
1. validate the parameter from the browser against SQL injection *before* sending to the databde
2. validate the data returned from the backend against XSS (and some more) before sending to the browser
This is a simple example, depending on your applications it can be much more complicated.
Hello Ahoffmann,
>BTW, WAF (Web Application Firewall) do not check what comes from the backend, >usually ...
You can create in mod_security some rules to be based in backend replys, like for example a "ORA-01756: quoted string not properly terminated". ;)
Hope this help,
Cheers,
>BTW, WAF (Web Application Firewall) do not check what comes from the backend, >usually ...
You can create in mod_security some rules to be based in backend replys, like for example a "ORA-01756: quoted string not properly terminated". ;)
Hope this help,
Cheers,
zgrp, what you do in mod_security with the ouput filter affects only what is finally send as response to the client
It does not filter/check/validate any data coming from the backend to the application (CGI or whatever).
It does not filter/check/validate any data coming from the backend to the application (CGI or whatever).
Ah ok, got what you spoken, you are speaking about monitor the response from database to webserver, and not the forward from web-server (web app) error to Web Client...
Sorry for bad understand,
Cheers
Sorry for bad understand,
Cheers
ASKER
Its not a Private server as such as it shares a hard drive. Its a Virtual Private server running Virtuozzo.
kind Regards
A.