how to stop our webserver from being hacked!!

we currently have our own webserver and about once every month or so some of our websites are being hacked and stupid pages are being put on the site. we have reset all the ftp accounts and also changed the password on the server and also added a firewall but the pages are still being added - they seem to be added to random sites so i dont know what to add or change to stop it from happening again.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hedley PhillipsOwnerCommented:

you need to start locking it down and ensuring that everything is configured correctly:

have a read through:

Security Guidance for IIS

Installing and Securing IIS Servers (Part 1)

for starters and go from there.
admoortownAuthor Commented:
thanks guys i quickly read through most of those articles and they seem pretty default apart from the "Windows-Server-2003-Hardening-List-Part1" article that recommended changing the default accounts which we have now done and are going to keep an eye on it.

but the hacks seem pretty strange because we store the sites on a seperate drive and are not your normal c:/domains folder they only seem to access the wwwroot folder of the domain, because nothing else seems to be affected, and its only about 5% of our domains that get affected and each are different each time!!

its very frustrating!!
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Hedley PhillipsOwnerCommented:
Are you sitting behind a nice firewall with NAT and is it locked down tight?

Is the server fully patched and updated?

To be honest, we gave up on IIS as a web server years ago and went over to Apache. But that doesn't help your current situation :-)

In additional to the advise of other experts, you might want to also considering run a vulnerability scan on your web server to check where it is vulnerable and patch it according.

Hope it helps.
admoortownAuthor Commented:
The vulnerability scan sounds like a plan and would that give us an idea on where we can tighten up the security and how they are getting into the sites.

how do we run the scan??

just of the phone with another customer who got hacked - the customers are really understanding but its bloody annoying!  have people nothing better to do with their time! lol
Hedley PhillipsOwnerCommented:
What is the exploit that is being used against you?

Do the IIS logs show them coming from a few addreses (easy to block) or hundreds of spotty script kiddie teenagers ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
For a start, you might want to consider the links below:

Another way is to look for qualified vulnerability assessment firm and ask them to assess your web server.
admoortownAuthor Commented:
i found a site that had a script hidden that runs a 666.exe program that seems to be causing the problem.  i deleted the files and ran a scan on the fiel server and it was clear so im going to leave it a day and see if it happens again.

if all else fails then the company we rent the webserver from said that they can do an inspection on the server and let us know where the threats are coming from for £50 so i think it could be money well spent
Praveen DMInfra Team LeadCommented:
1. Router based FW
2. Internal Firewall in u r server ( Eg: Visnetic)
3. Updated Antivirus software and complete server scanned atlast once in a week.
4. Frequently blocking black listed IP address mentioned in CP forums.
5. Keeping track of sites having permissions to execute scripts and Executables..( sply CMD & EXE )
6. Scan even zip files uploaded by clients as these are the main carriers for virus.

At least 8 charactersthe more characters the better.
A mixture of both uppercase and lowercase letters.
A mixture of letters and numbers.
Inclusion of at least one special character, e.g., ! @ # ? ].

Servers failing to have strong passwords are also prone to virus attack...Please make sure your server and the accounts within use only strong passwords... If you alalyze a bit deeper u can see that accounts having more sucured password in same server also could have escaped from this hack...

These practices will secure your server....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.