Solved

How to prevent Jablay Crew to hack a webserver?

Posted on 2010-08-30
6
640 Views
Last Modified: 2012-06-21
One of my customer have his website hosted on a Windows server (hosting company), they get hacked by Jablay Crew (massmailer).

Jablay Crew team was able to upload 3 files one that contain massmailing script, the website don't have any form, no DB or no upload script. So i'm wondering how they upload file to the website directory?

Is this a server security hole or the crew just bruteforce FTP username and pw?

Any suggestion or solution to fix the problem is welcome

Thanks
0
Comment
Question by:lenamtl
6 Comments
 
LVL 9

Accepted Solution

by:
shalabhsharma earned 500 total points
ID: 33563991
Scan the server for the presence of any kind of backdoor/trojans/bots/rootkits.

The log information is needed/important to analyse on the exploit/vulnerability used by the intruder to penetrate your server so we can advise you accordingly on fixing the vulnerability. The log is also important to trace the intruder's IP address.

For IIS 6.0, you can retrieve the log at this directory:

?:\winnt\system32\logfiles\w3svc1

If it is some of the website you have to check thier FTP logs

Apply latest service packs and patches fro your Server.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Check the Server main Drive priviliges on it it has only system,administrator full priviliges.
Check the FTP logs.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).


Install IIS Lockdown can be downloaded at:


http://www.microsoft.com/technet/security/tools/locktool.mspx
 

Note: If some applications requires these services which had been previously removed by lockdown, the setup can be restored by having the undo files located at n32inetsrv\oblt-log can be used to recover previous settings.

Use URLScan to filter HTTP requests Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks.

The URLScan filter can be configured to reject such requests before the server attempts to process them. The URLScan filter can be downloaded separately from

Microsoft at URLScan Filter:

http://www.microsoft.com/technet/security/tools/urlscan.asp

 If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, please check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and related update services.
0
 
LVL 24

Author Comment

by:lenamtl
ID: 33569824
Hi,

I don't have access to this server this site is hosted by a webhosting company not on a private server.

I have ask them if the server was updated recently and secure, they told me this is uptodate.
They said that this intrusion was probably made by brute force ftp pw
I think this is maybe happening through a server security hole too.

They only suggest to change the FTP password...
Is this better to switch on Linux server, these are more secure? or just changing the FTP password will be enough?

What do you think?
0
 
LVL 1

Expert Comment

by:LaVaism
ID: 33573021
It is time to change hosting providers.  

Linux server vs windows server is really not that important if they cannot secure either one.  The problem with shared hosting, as it is cheaper but if someone else creates a site using SQL or sloppy programming then it can leave the server open to holes.  

I would switch to Dreamhost which is reliable and secure I have never had any issues with them.  Also cpanel which is used by a lot of sites such as 1and1 has been found to open up security issues.  Although they can be fixed with patches and updates sometimes not quick enough.  
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 9

Expert Comment

by:shalabhsharma
ID: 33573606
If your hosting provider is not sble to provide the solution either they have to accept that their is some security loops on their server or provide the appropriate logs that  intruder gained the access by your FTP if they fails to provide any proof  than its the time to change the host.



0
 
LVL 3

Expert Comment

by:simoesp
ID: 33578658
is your site working in php ? if yes... disable the allow_url_fopen will help you out :)
0
 
LVL 24

Author Closing Comment

by:lenamtl
ID: 33602780
I have recontacted the hosting company and I will see if they can provide me some FTP logs.

Thanks
 
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now