how to stop our webserver from being hacked!!

we currently have our own webserver and about once every month or so some of our websites are being hacked and stupid pages are being put on the site. we have reset all the ftp accounts and also changed the password on the server and also added a firewall but the pages are still being added - they seem to be added to random sites so i dont know what to add or change to stop it from happening again.
Who is Participating?
Hedley PhillipsConnect With a Mentor OwnerCommented:
What is the exploit that is being used against you?

Do the IIS logs show them coming from a few addreses (easy to block) or hundreds of spotty script kiddie teenagers ?
Hedley PhillipsOwnerCommented:

you need to start locking it down and ensuring that everything is configured correctly:

have a read through:

Security Guidance for IIS

Installing and Securing IIS Servers (Part 1)

for starters and go from there.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

admoortownAuthor Commented:
thanks guys i quickly read through most of those articles and they seem pretty default apart from the "Windows-Server-2003-Hardening-List-Part1" article that recommended changing the default accounts which we have now done and are going to keep an eye on it.

but the hacks seem pretty strange because we store the sites on a seperate drive and are not your normal c:/domains folder they only seem to access the wwwroot folder of the domain, because nothing else seems to be affected, and its only about 5% of our domains that get affected and each are different each time!!

its very frustrating!!
Hedley PhillipsOwnerCommented:
Are you sitting behind a nice firewall with NAT and is it locked down tight?

Is the server fully patched and updated?

To be honest, we gave up on IIS as a web server years ago and went over to Apache. But that doesn't help your current situation :-)

In additional to the advise of other experts, you might want to also considering run a vulnerability scan on your web server to check where it is vulnerable and patch it according.

Hope it helps.
admoortownAuthor Commented:
The vulnerability scan sounds like a plan and would that give us an idea on where we can tighten up the security and how they are getting into the sites.

how do we run the scan??

just of the phone with another customer who got hacked - the customers are really understanding but its bloody annoying!  have people nothing better to do with their time! lol
oks1977Connect With a Mentor Commented:
For a start, you might want to consider the links below:

Another way is to look for qualified vulnerability assessment firm and ask them to assess your web server.
admoortownAuthor Commented:
i found a site that had a script hidden that runs a 666.exe program that seems to be causing the problem.  i deleted the files and ran a scan on the fiel server and it was clear so im going to leave it a day and see if it happens again.

if all else fails then the company we rent the webserver from said that they can do an inspection on the server and let us know where the threats are coming from for £50 so i think it could be money well spent
Praveen DMConnect With a Mentor Infra Team LeadCommented:
1. Router based FW
2. Internal Firewall in u r server ( Eg: Visnetic)
3. Updated Antivirus software and complete server scanned atlast once in a week.
4. Frequently blocking black listed IP address mentioned in CP forums.
5. Keeping track of sites having permissions to execute scripts and Executables..( sply CMD & EXE )
6. Scan even zip files uploaded by clients as these are the main carriers for virus.

At least 8 charactersthe more characters the better.
A mixture of both uppercase and lowercase letters.
A mixture of letters and numbers.
Inclusion of at least one special character, e.g., ! @ # ? ].

Servers failing to have strong passwords are also prone to virus attack...Please make sure your server and the accounts within use only strong passwords... If you alalyze a bit deeper u can see that accounts having more sucured password in same server also could have escaped from this hack...

These practices will secure your server....
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.