Go Premium for a chance to win a PS4. Enter to Win


How to prevent Jablay Crew to hack a webserver?

Posted on 2010-08-30
Medium Priority
Last Modified: 2012-06-21
One of my customer have his website hosted on a Windows server (hosting company), they get hacked by Jablay Crew (massmailer).

Jablay Crew team was able to upload 3 files one that contain massmailing script, the website don't have any form, no DB or no upload script. So i'm wondering how they upload file to the website directory?

Is this a server security hole or the crew just bruteforce FTP username and pw?

Any suggestion or solution to fix the problem is welcome

Question by:lenamtl

Accepted Solution

shalabhsharma earned 2000 total points
ID: 33563991
Scan the server for the presence of any kind of backdoor/trojans/bots/rootkits.

The log information is needed/important to analyse on the exploit/vulnerability used by the intruder to penetrate your server so we can advise you accordingly on fixing the vulnerability. The log is also important to trace the intruder's IP address.

For IIS 6.0, you can retrieve the log at this directory:


If it is some of the website you have to check thier FTP logs

Apply latest service packs and patches fro your Server.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Check the Server main Drive priviliges on it it has only system,administrator full priviliges.
Check the FTP logs.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Install IIS Lockdown can be downloaded at:


Note: If some applications requires these services which had been previously removed by lockdown, the setup can be restored by having the undo files located at n32inetsrv\oblt-log can be used to recover previous settings.

Use URLScan to filter HTTP requests Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks.

The URLScan filter can be configured to reject such requests before the server attempts to process them. The URLScan filter can be downloaded separately from

Microsoft at URLScan Filter:


 If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, please check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and related update services.
LVL 27

Author Comment

ID: 33569824

I don't have access to this server this site is hosted by a webhosting company not on a private server.

I have ask them if the server was updated recently and secure, they told me this is uptodate.
They said that this intrusion was probably made by brute force ftp pw
I think this is maybe happening through a server security hole too.

They only suggest to change the FTP password...
Is this better to switch on Linux server, these are more secure? or just changing the FTP password will be enough?

What do you think?

Expert Comment

ID: 33573021
It is time to change hosting providers.  

Linux server vs windows server is really not that important if they cannot secure either one.  The problem with shared hosting, as it is cheaper but if someone else creates a site using SQL or sloppy programming then it can leave the server open to holes.  

I would switch to Dreamhost which is reliable and secure I have never had any issues with them.  Also cpanel which is used by a lot of sites such as 1and1 has been found to open up security issues.  Although they can be fixed with patches and updates sometimes not quick enough.  
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!


Expert Comment

ID: 33573606
If your hosting provider is not sble to provide the solution either they have to accept that their is some security loops on their server or provide the appropriate logs that  intruder gained the access by your FTP if they fails to provide any proof  than its the time to change the host.


Expert Comment

ID: 33578658
is your site working in php ? if yes... disable the allow_url_fopen will help you out :)
LVL 27

Author Closing Comment

ID: 33602780
I have recontacted the hosting company and I will see if they can provide me some FTP logs.


Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question