Solved

How to prevent Jablay Crew to hack a webserver?

Posted on 2010-08-30
6
644 Views
Last Modified: 2012-06-21
One of my customer have his website hosted on a Windows server (hosting company), they get hacked by Jablay Crew (massmailer).

Jablay Crew team was able to upload 3 files one that contain massmailing script, the website don't have any form, no DB or no upload script. So i'm wondering how they upload file to the website directory?

Is this a server security hole or the crew just bruteforce FTP username and pw?

Any suggestion or solution to fix the problem is welcome

Thanks
0
Comment
Question by:lenamtl
6 Comments
 
LVL 9

Accepted Solution

by:
shalabhsharma earned 500 total points
ID: 33563991
Scan the server for the presence of any kind of backdoor/trojans/bots/rootkits.

The log information is needed/important to analyse on the exploit/vulnerability used by the intruder to penetrate your server so we can advise you accordingly on fixing the vulnerability. The log is also important to trace the intruder's IP address.

For IIS 6.0, you can retrieve the log at this directory:

?:\winnt\system32\logfiles\w3svc1

If it is some of the website you have to check thier FTP logs

Apply latest service packs and patches fro your Server.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Check the Server main Drive priviliges on it it has only system,administrator full priviliges.
Check the FTP logs.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).


Install IIS Lockdown can be downloaded at:


http://www.microsoft.com/technet/security/tools/locktool.mspx
 

Note: If some applications requires these services which had been previously removed by lockdown, the setup can be restored by having the undo files located at n32inetsrv\oblt-log can be used to recover previous settings.

Use URLScan to filter HTTP requests Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks.

The URLScan filter can be configured to reject such requests before the server attempts to process them. The URLScan filter can be downloaded separately from

Microsoft at URLScan Filter:

http://www.microsoft.com/technet/security/tools/urlscan.asp

 If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, please check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and related update services.
0
 
LVL 25

Author Comment

by:lenamtl
ID: 33569824
Hi,

I don't have access to this server this site is hosted by a webhosting company not on a private server.

I have ask them if the server was updated recently and secure, they told me this is uptodate.
They said that this intrusion was probably made by brute force ftp pw
I think this is maybe happening through a server security hole too.

They only suggest to change the FTP password...
Is this better to switch on Linux server, these are more secure? or just changing the FTP password will be enough?

What do you think?
0
 
LVL 1

Expert Comment

by:LaVaism
ID: 33573021
It is time to change hosting providers.  

Linux server vs windows server is really not that important if they cannot secure either one.  The problem with shared hosting, as it is cheaper but if someone else creates a site using SQL or sloppy programming then it can leave the server open to holes.  

I would switch to Dreamhost which is reliable and secure I have never had any issues with them.  Also cpanel which is used by a lot of sites such as 1and1 has been found to open up security issues.  Although they can be fixed with patches and updates sometimes not quick enough.  
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 9

Expert Comment

by:shalabhsharma
ID: 33573606
If your hosting provider is not sble to provide the solution either they have to accept that their is some security loops on their server or provide the appropriate logs that  intruder gained the access by your FTP if they fails to provide any proof  than its the time to change the host.



0
 
LVL 3

Expert Comment

by:simoesp
ID: 33578658
is your site working in php ? if yes... disable the allow_url_fopen will help you out :)
0
 
LVL 25

Author Closing Comment

by:lenamtl
ID: 33602780
I have recontacted the hosting company and I will see if they can provide me some FTP logs.

Thanks
 
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question