How to prevent Jablay Crew to hack a webserver?

Posted on 2010-08-30
Last Modified: 2012-06-21
One of my customer have his website hosted on a Windows server (hosting company), they get hacked by Jablay Crew (massmailer).

Jablay Crew team was able to upload 3 files one that contain massmailing script, the website don't have any form, no DB or no upload script. So i'm wondering how they upload file to the website directory?

Is this a server security hole or the crew just bruteforce FTP username and pw?

Any suggestion or solution to fix the problem is welcome

Question by:lenamtl
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

shalabhsharma earned 500 total points
ID: 33563991
Scan the server for the presence of any kind of backdoor/trojans/bots/rootkits.

The log information is needed/important to analyse on the exploit/vulnerability used by the intruder to penetrate your server so we can advise you accordingly on fixing the vulnerability. The log is also important to trace the intruder's IP address.

For IIS 6.0, you can retrieve the log at this directory:


If it is some of the website you have to check thier FTP logs

Apply latest service packs and patches fro your Server.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Check the Server main Drive priviliges on it it has only system,administrator full priviliges.
Check the FTP logs.

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Forbid the web server from running system commands commonly used in a compromise

(e.g., cmd.exe and tftp.exe).

Install IIS Lockdown can be downloaded at:

Note: If some applications requires these services which had been previously removed by lockdown, the setup can be restored by having the undo files located at n32inetsrv\oblt-log can be used to recover previous settings.

Use URLScan to filter HTTP requests Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks.

The URLScan filter can be configured to reject such requests before the server attempts to process them. The URLScan filter can be downloaded separately from

Microsoft at URLScan Filter:

 If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, please check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and check the third-party vendors' web sites for patches and configuration tips as well. Microsoft does not include third-party patches in Windows Update and related update services.
LVL 25

Author Comment

ID: 33569824

I don't have access to this server this site is hosted by a webhosting company not on a private server.

I have ask them if the server was updated recently and secure, they told me this is uptodate.
They said that this intrusion was probably made by brute force ftp pw
I think this is maybe happening through a server security hole too.

They only suggest to change the FTP password...
Is this better to switch on Linux server, these are more secure? or just changing the FTP password will be enough?

What do you think?

Expert Comment

ID: 33573021
It is time to change hosting providers.  

Linux server vs windows server is really not that important if they cannot secure either one.  The problem with shared hosting, as it is cheaper but if someone else creates a site using SQL or sloppy programming then it can leave the server open to holes.  

I would switch to Dreamhost which is reliable and secure I have never had any issues with them.  Also cpanel which is used by a lot of sites such as 1and1 has been found to open up security issues.  Although they can be fixed with patches and updates sometimes not quick enough.  
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.


Expert Comment

ID: 33573606
If your hosting provider is not sble to provide the solution either they have to accept that their is some security loops on their server or provide the appropriate logs that  intruder gained the access by your FTP if they fails to provide any proof  than its the time to change the host.


Expert Comment

ID: 33578658
is your site working in php ? if yes... disable the allow_url_fopen will help you out :)
LVL 25

Author Closing Comment

ID: 33602780
I have recontacted the hosting company and I will see if they can provide me some FTP logs.


Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question