We help IT Professionals succeed at work.

Website not accessible on internal network after hacker attack!

447 Views
Last Modified: 2013-11-30
My company has a secondary website that is hosted on a commercial web host completely separate to our SBS2008 network.  This is for the use of contractors etc.

On Friday we had a hacking attack on it and they managed to load files on to the web server so that their pages loaded instead of ours.  We have resolved the issue with the host and the site is working and accessible outside of our network but not accessible internally.  When we access internally we just get the progress bar for ages then a timeout.

All I can think is that either SBS or the cisco box has automatically black listed the site but I am not aware that this is the case.

I have tried connecting to the IP directly but that does not work?

Comment
Watch Question

Commented:
Have you checked the DNS records for the domain on your SBS machine? Perhaps they've been altered somehow.

If you ping the domain internally, does it return the correct IP address?

Author

Commented:
It resolves the domain to the correct IP but the ping request times out.

Author

Commented:
Telnet cannot open a connection to the webserver either.
Try a trace route to the domain and see where it times out.  That will let you know if it's on your end, your host's end, or somewhere in between.  To do a trace route in a DOS prompt, type (no quotes) "tracert www.example.com" where you put your domain in place of www.example.com.

Author

Commented:
I get three stars and then request time out.  It has 11 of these lines so far.  I also get the same result when trying to trace route for www.microsoft.com and www.google.com, but I can access their websites with IE.

Author

Commented:
Incidently I have also tried with google chrome but get the same issue.
Can you ping the webserver by IP address?  (I'm guessing not, but just making sure that it's not a DNS issue.)

I'm guessing your setup is as follows: Internet -> PIX firewall -> SBS 2008.  Is it possible to test connecting to to the website from a computer placed behind the PIX firewall but not the SBS 2008 server?  That'll help eliminate if it's something on the SBS2008 server.

Also, I believe the PIX firewall allows you to issue a ping command.  Can you ping your website from the PIX firewall (either by IP or domain)?

Author

Commented:
Hi, Ping by IP resolves the domain name, so not a DNS issue.  I have checked the firewall and it is an ASA 5505, not sure if this makes a fundemental difference.  Traceroute also not working.

Outside of the domain but behind the firewall we still cannot connect to the site and the ping also times out.

We do have a primary firewall that we do not have access to that is provided by our office providers?  Could this be causing the problem?  Is there a way to check this?  I guess the traceroute should have picked this up if it was working.

If I'm following correctly, your setup is as follows:
Internet -> Firewall (which you have no access to) -> Domain

I agree about it not being a DNS issue.  Since you got all stars for the traceroute, I'm going to guess it's the firewall that is the issue.  If there's a way to plug a computer directly into the internet connection on the other side of the firewall, you could confirm that but since you don't have access to the firewall, I'm guessing that's not possible.  I'm not familiar with the ASA 5505.  Looking at Cisco's product sheet (http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html), it looks like you need a higher model to get some of the automatic security features, but perhaps I'm just looking at it wrong.

I think there are two options here... One, if the firewall automatically blocked the site, it's possible it will unblock it at some later date... I don't know how long that is though.  The second option is to contact the person that does have access to the firewall and see if they can put in an exception.

Author

Commented:
The setup is slightly more complicated as we work in serviced offices -->

Internet -> Office Provider Firewall ->  ASA 5505 -> Domain

I am checking with the office provider that they have not black listed the site.   Because of the first firewall, it is not possible to bypass that but I will try with bypassing the ASA.  Did a reboot of the domain controlled (and ISA) but that did not work either.  

Author

Commented:
our office provider confirms that they can access the site from behind their firewall, they call also see the request going through the firewall when I browse to the site form behind our firewall.  So from that we can tell that the office provider firewall is not blocking the request or the response and we know that our ASA box is not blocking the request at least.............

Just to make sure I'm keeping on track here.

You can access the site from a different internet connection
Your office provider can access the site from behind their firewall
You can't access the site from behind the ASA 5505
You can't access the site from behind the domain

That leads me to believe that the ASA 5505 is somehow blocking the site since the breakdown point is between the ASA 5505 and the firewall.  I don't know much about firewall content blocking, but my guess is that your request is going out to the website and then getting blocked coming back in based on IP address.

If possible, I'd look into what content blocking options you have on the ASA 5505 and see if there's anywhere you can whitelist an IP address.

Author

Commented:
Yes that it the case.  I have someone looking at the ASA but he says there is no black or white list

Author

Commented:
My cisco guy has given up, he says that this is a software issue and the ASA box is working fine. We dont use a proxy so it cant be that.......................Arghhh!
I guess the only way to prove it is the ASA box would be to temporarily remove the firewall and see if things work.  You'll want to make sure Windows Firewall is running on the domain server.  That being said, this step should really be unnecessary since you can clearly access the site form outside of the ASA box but can't access it from inside the ASA box.

Unfortunately, I don't know anything about the ASA specifically, just a little bit about firewalls in general so I can't help you with settings, etc.

Author

Commented:
Unfortunately I cant justify the cost and risk to do this for just one website, so I think my only real option is to move the site to another host with a different ip.....Thanks for your assistance
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I've been off for a week and on my return the site is now visible from inside the network.  All I can think is that it was on a temporary black list of some sort.  Thanks for the assistance.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.