morten444
asked on
Hacking IIS log files
Hi
We have a asp/sql website that have some issue with SQL injection, that we are getting fixed.
However today when we checked our website, someone had somehow uploaded some files like index.aspx, index.html untill they got a page that was highter in IIS start file than default.asp, and therefore they changed the front page.
I am not sure how they have done this.
One of the files they have put on our server is "amotudoisso.htm"
I have studied the log file from today and that file appear 1 time only, so I assue that is when it has happened. I have checked for all enteries from same IP and extracted them.
can anyone have a look at this line and try to tell me if this is where it has taken place and maybe give a guess what has happened?
I dont know where to start.
Thanks
2009-04-11 01:37:24 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author. dll - 200 core-project/1.0
2009-04-11 01:37:26 211.52.78.2 - 172.18.0.10 80 GET /amotudoisso.htm - 200 core-project/1.0
2009-04-11 17:33:32 211.52.78.2 - 172.18.0.10 80 HEAD /Default.asp - 200 -
2009-04-11 17:33:34 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author. dll - 200 core-project/1.0
2009-04-11 17:33:35 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:38 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author. dll - 200 core-project/1.0
2009-04-11 17:33:39 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:42 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author. dll - 200 core-project/1.0
2009-04-11 17:33:43 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:45 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author. dll - 200 core-project/1.0
2009-04-11 17:33:48 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:50 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author. dll - 200 core-project/1.0
2009-04-11 17:33:52 211.52.78.2 - 172.18.0.10 80 GET /Default.htm - 200 core-project/1.0
We have a asp/sql website that have some issue with SQL injection, that we are getting fixed.
However today when we checked our website, someone had somehow uploaded some files like index.aspx, index.html untill they got a page that was highter in IIS start file than default.asp, and therefore they changed the front page.
I am not sure how they have done this.
One of the files they have put on our server is "amotudoisso.htm"
I have studied the log file from today and that file appear 1 time only, so I assue that is when it has happened. I have checked for all enteries from same IP and extracted them.
can anyone have a look at this line and try to tell me if this is where it has taken place and maybe give a guess what has happened?
I dont know where to start.
Thanks
2009-04-11 01:37:24 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author.
2009-04-11 01:37:26 211.52.78.2 - 172.18.0.10 80 GET /amotudoisso.htm - 200 core-project/1.0
2009-04-11 17:33:32 211.52.78.2 - 172.18.0.10 80 HEAD /Default.asp - 200 -
2009-04-11 17:33:34 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author.
2009-04-11 17:33:35 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:38 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author.
2009-04-11 17:33:39 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:42 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author.
2009-04-11 17:33:43 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:45 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author.
2009-04-11 17:33:48 211.52.78.2 - 172.18.0.10 80 GET /Default.asp - 200 core-project/1.0
2009-04-11 17:33:50 211.52.78.2 - 172.18.0.10 80 POST /_vti_bin/_vti_aut/author.
2009-04-11 17:33:52 211.52.78.2 - 172.18.0.10 80 GET /Default.htm - 200 core-project/1.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi cs97jjm3
Thanks for the article. That was very very interesting (and scary)
Can I ask you 2 question:
1. Can I just delete all the frontpage directories in a domain that uses frontpage?
Will that prevent users from exploiting it?
2. I read the article. tried to download Netcat to test but could not find it on the net.
In the text below it states:
"First, Explorer sends the remote server an OPTIONS / HTTP/1.1"
What does that mean? how can I send that. is it just to type it in the address bar after the ftp://domainname.com/OPTION/HTTP/1.1 ?
I am just trying to understand how this info is sent towards my domain (POST,GET etc..)
Hope you can take some time to answer this
Thanks again
Regards Morten
Thanks for the article. That was very very interesting (and scary)
Can I ask you 2 question:
1. Can I just delete all the frontpage directories in a domain that uses frontpage?
Will that prevent users from exploiting it?
2. I read the article. tried to download Netcat to test but could not find it on the net.
In the text below it states:
"First, Explorer sends the remote server an OPTIONS / HTTP/1.1"
What does that mean? how can I send that. is it just to type it in the address bar after the ftp://domainname.com/OPTION/HTTP/1.1 ?
I am just trying to understand how this info is sent towards my domain (POST,GET etc..)
Hope you can take some time to answer this
Thanks again
Regards Morten
JUST FOR REFERENCE FROM THE ARTICLE:
First, Explorer sends the remote server an OPTIONS / HTTP/1.1 (I suppose to
figure out if it can post). At this point it is sending a User-Agent of
"Microsoft Data Access Internet Publishing Provider Cache Manager", although in
later requests it sends a User-Agent of "MSFrontPage/4.0." So far I have seen
few servers that dissallow the POST method so this usually succeeds (which makes
me wonder why they even do it).
Then it sends GET /_vti_inf.html HTTP/1.1. This is the basic configuration file
for the FrontPage extensions. This tells Explorer that the FrontPage server
extensions are installed and it looks for the line
FPAuthorScriptUrl="_vti_bin/_vti_aut/author.dll". On IIS it will be author.dll
and on all others it will be author.exe. Of course, if the file isn't there, we
get a 404 and we know this server doesn't have FrontPage support.
After it knows the location of the authoring binaries, it sends POST
/_vti_bin/shtml.dll/_vti_rpc HTTP/1.1. Shtml.dll is the browse binary and is
available to everyone. The post data is:
method=server+version%3a4%2e0%2e2%2e2611, to which the server responds something
like this:
<html><head><title>vermeer RPC packet</title></head>
<body>
<p>method=server version:3.0.2.1706
<p>server version=
<ul>
<li>major ver=3
<li>minor ver=0
<li>phase ver=2
<li>ver incr=1706
</ul>
<p>source control=0
</body>
</html>
points one: sorry you cannot delete if using that method: point two: sorry i not aware of how to do that
ASKER
Hi
Thanks for feedback.
I am happy with the content of the article. Seems like i can just delete it as we are not using Frontpage anymore on the server.
Regarding the howto?
Will look into the big books again and see if I can find out
Thanks for your help
Regards
Morten
Thanks for feedback.
I am happy with the content of the article. Seems like i can just delete it as we are not using Frontpage anymore on the server.
Regarding the howto?
Will look into the big books again and see if I can find out
Thanks for your help
Regards
Morten
ASKER
Thanks for your help. Difficult to understand but the main thing is that we have managed to close the security hull using that article
Kind Regards
Morten
Kind Regards
Morten
Also, how much have you opened up IIS? FTP is very dangerous.