Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to prevent Jablay Crew to hack a webserver?

Posted on 2010-08-30
6
Medium Priority
?
658 Views
Last Modified: 2012-06-21
One of my customer have his website hosted on a Windows server (hosting company), they get hacked by Jablay Crew (massmailer).

Jablay Crew team was able to upload 3 files one that contain massmailing script, the website don't have any form, no DB or no upload script. So i'm wondering how they upload file to the website directory?

Is this a server security hole or the crew just bruteforce FTP username and pw?

Any suggestion or solution to fix the problem is welcome

Thanks
0
Comment
Question by:lenamtl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 9

Accepted Solution

by:
shalabhsharma earned 2000 total points
ID: 33563991
Scan the server for the presence of any kind of backdoor/trojans/bots/rootkits.

The log information is needed/important to analyse on the exploit/vulnerability used by the intruder to penetrate your server so we can advise you accordingly on fixing the vulnerability. The log is also important to trace the intruder's IP address.

For IIS 6.0, you can retrieve the log at this directory:

?:\winnt\system32\logfiles\w3svc1

If it is some of the website you have to check thier FTP logs

Apply latest service packs and patches fro your Server.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Check the Server main Drive priviliges on it it has only system,administrator full priviliges.
Check the FTP logs.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).


Install IIS Lockdown can be downloaded at:


http://www.microsoft.com/technet/security/tools/locktool.mspx
 

Note: If some applications requires these services which had been previously removed by lockdown, the setup can be restored by having the undo files located at n32inetsrv\oblt-log can be used to recover previous settings.

Use URLScan to filter HTTP requests Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks.

The URLScan filter can be configured to reject such requests before the server attempts to process them. The URLScan filter can be downloaded separately from

Microsoft at URLScan Filter:

http://www.microsoft.com/technet/security/tools/urlscan.asp

 If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, please check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and related update services.
0
 
LVL 26

Author Comment

by:lenamtl
ID: 33569824
Hi,

I don't have access to this server this site is hosted by a webhosting company not on a private server.

I have ask them if the server was updated recently and secure, they told me this is uptodate.
They said that this intrusion was probably made by brute force ftp pw
I think this is maybe happening through a server security hole too.

They only suggest to change the FTP password...
Is this better to switch on Linux server, these are more secure? or just changing the FTP password will be enough?

What do you think?
0
 
LVL 1

Expert Comment

by:LaVaism
ID: 33573021
It is time to change hosting providers.  

Linux server vs windows server is really not that important if they cannot secure either one.  The problem with shared hosting, as it is cheaper but if someone else creates a site using SQL or sloppy programming then it can leave the server open to holes.  

I would switch to Dreamhost which is reliable and secure I have never had any issues with them.  Also cpanel which is used by a lot of sites such as 1and1 has been found to open up security issues.  Although they can be fixed with patches and updates sometimes not quick enough.  
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 9

Expert Comment

by:shalabhsharma
ID: 33573606
If your hosting provider is not sble to provide the solution either they have to accept that their is some security loops on their server or provide the appropriate logs that  intruder gained the access by your FTP if they fails to provide any proof  than its the time to change the host.



0
 
LVL 3

Expert Comment

by:simoesp
ID: 33578658
is your site working in php ? if yes... disable the allow_url_fopen will help you out :)
0
 
LVL 26

Author Closing Comment

by:lenamtl
ID: 33602780
I have recontacted the hosting company and I will see if they can provide me some FTP logs.

Thanks
 
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question